diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index a0d181216789..4b5eb18995dd 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -9338,6 +9338,10 @@ components: description: The name of the policy example: my_agent_policy type: string + pinned: + description: Whether the policy is pinned + example: false + type: boolean policyVersion: description: The version of the policy example: '1' @@ -9365,6 +9369,8 @@ components: type: integer updater: $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + versions: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersions' type: object CloudWorkloadSecurityAgentPolicyCreateAttributes: description: Create a new Cloud Workload Security Agent policy @@ -9511,6 +9517,23 @@ components: nullable: true type: string type: object + CloudWorkloadSecurityAgentPolicyVersion: + description: The versions of the policy + properties: + Date: + description: The date and time the version was created + nullable: true + type: string + Name: + description: The version of the policy + example: 1.47.0-rc2 + type: string + type: object + CloudWorkloadSecurityAgentPolicyVersions: + description: The versions of the policy + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersion' + type: array CloudWorkloadSecurityAgentRuleAction: description: The action the rule can perform if triggered properties: @@ -9548,23 +9571,32 @@ components: description: The set action applied on the scope matching the rule properties: append: - description: Whether the value should be appended to the field + description: Whether the value should be appended to the field. type: boolean + default_value: + description: The default value of the set action + type: string + expression: + description: The expression of the set action. + type: string field: description: The field of the set action type: string + inherited: + description: Whether the value should be inherited. + type: boolean name: description: The name of the set action type: string scope: - description: The scope of the set action + description: The scope of the set action. type: string size: - description: The size of the set action + description: The size of the set action. format: int64 type: integer ttl: - description: The time to live of the set action + description: The time to live of the set action. format: int64 type: integer value: @@ -9645,6 +9677,10 @@ components: items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean updateAuthorUuId: description: The ID of the user who updated the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 @@ -9672,8 +9708,11 @@ components: properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' + agent_version: + description: Constrain the rule to specific versions of the Datadog Agent. + type: string blocking: - description: The blocking policies that the rule belongs to + description: The blocking policies that the rule belongs to. items: type: string type: array @@ -9682,12 +9721,12 @@ components: example: My Agent rule type: string disabled: - description: The disabled policies that the rule belongs to + description: The disabled policies that the rule belongs to. items: type: string type: array enabled: - description: Whether the Agent rule is enabled + description: Whether the Agent rule is enabled. example: true type: boolean expression: @@ -9695,12 +9734,12 @@ components: example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on + description: The platforms the Agent rule is supported on. items: type: string type: array monitoring: - description: The monitoring policies that the rule belongs to + description: The monitoring policies that the rule belongs to. items: type: string type: array @@ -9709,14 +9748,18 @@ components: example: my_agent_rule type: string policy_id: - description: The ID of the policy where the Agent rule is saved + description: The ID of the policy where the Agent rule is saved. example: a8c8e364-6556-434d-b798-a4c23de29c0b type: string product_tags: - description: The list of product tags associated with the rule + description: The list of product tags associated with the rule. items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean required: - name - expression @@ -9796,6 +9839,9 @@ components: properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' + agent_version: + description: Constrain the rule to specific versions of the Datadog Agent + type: string blocking: description: The blocking policies that the rule belongs to items: @@ -9832,6 +9878,10 @@ components: items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean type: object CloudWorkloadSecurityAgentRuleUpdateData: description: Object for a single Agent rule diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/frozen.json index 89c58d4383c3..f9cf337fcb58 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/frozen.json @@ -1 +1 @@ -"2025-05-27T10:24:52.127Z" +"2025-10-02T12:40:08.636Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/recording.har index 8730263a3736..cface2460cbc 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response_1067572025/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "182e29cd0f933ff5c5588f4ce6215a21", + "_id": "6dad69ed8d2de111042566ddde7b1807", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1748341492\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759408808\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 454, + "bodySize": 450, "content": { "mimeType": "application/json", - "size": 454, - "text": "{\"data\":{\"id\":\"wqi-kze-rt7\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1748341492\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341492528,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 450, + "text": "{\"data\":{\"id\":\"9lu-jcj-cfk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759408808\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408809020,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:24:52.130Z", - "time": 746 + "startedDateTime": "2025-10-02T12:40:08.641Z", + "time": 909 }, { - "_id": "d7f17e68d7f3cfd45191d2db96081e72", + "_id": "eed3335bd94cae731f28b63a3ec7ab42", "_order": 0, "cache": {}, "request": { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"wqi-kze-rt7\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"9lu-jcj-cfk\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 154, + "bodySize": 121, "content": { "mimeType": "application/json", - "size": 154, - "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}" + "size": 121, + "text": "{\"errors\":[\"input_validation_error(Field 'name' is invalid: the name 'my_agent_rule' is already used by a custom rule)\"]}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-05-27T10:24:52.883Z", - "time": 501 + "startedDateTime": "2025-10-02T12:40:09.557Z", + "time": 643 }, { - "_id": "4d3f95b180cb6f4b566ba489d950e4bf", + "_id": "b0599f765e6716c2e4d05128d38492b1", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wqi-kze-rt7" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/9lu-jcj-cfk" }, "response": { "bodySize": 0, @@ -152,8 +152,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:24:53.393Z", - "time": 668 + "startedDateTime": "2025-10-02T12:40:10.205Z", + "time": 732 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/frozen.json index b46523090f67..5180e620d554 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/frozen.json @@ -1 +1 @@ -"2025-05-27T10:24:54.068Z" +"2025-10-02T12:40:10.942Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/recording.har index f8e54156c38c..8f47b5ab84fd 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-returns-OK-response_2698696373/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "cbe9253613f5d3fb32b237404879c5e9", + "_id": "5233ddc5445d98e9dc6d61773f842e24", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1759408810\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 446, + "bodySize": 442, "content": { "mimeType": "application/json", - "size": 446, - "text": "{\"data\":{\"id\":\"zkg-owo-mcp\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341494354,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 442, + "text": "{\"data\":{\"id\":\"f9o-yyi-dod\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1759408810\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408811374,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,15 +57,15 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:24:54.069Z", - "time": 610 + "startedDateTime": "2025-10-02T12:40:10.944Z", + "time": 966 }, { - "_id": "f913fcf7b123725236248fbbaf89e45c", + "_id": "1337e6f675e48401d9c5612945470d76", "_order": 0, "cache": {}, "request": { - "bodySize": 262, + "bodySize": 287, "cookies": [], "headers": [ { @@ -85,7 +85,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494\",\"policy_id\":\"zkg-owo-mcp\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"agent_version\":\"> 7.60\",\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1759408810\",\"policy_id\":\"f9o-yyi-dod\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" @@ -95,7 +95,7 @@ "content": { "mimeType": "application/json", "size": 519, - "text": "{\"data\":{\"id\":\"ymx-atn-xux\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1748341495064,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"zkg-owo-mcp\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494\",\"product_tags\":[],\"updateDate\":1748341495064,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "text": "{\"data\":{\"id\":\"x8w-ivj-qad\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1759408812331,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"f9o-yyi-dod\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1759408810\",\"product_tags\":[],\"updateDate\":1759408812331,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:24:54.683Z", - "time": 968 + "startedDateTime": "2025-10-02T12:40:11.914Z", + "time": 945 }, { - "_id": "151f86620345d9c8e93c7400bcca35b2", + "_id": "080172b1c11319a3c642e79cb298911c", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ymx-atn-xux" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/x8w-ivj-qad" }, "response": { "bodySize": 0, @@ -152,11 +152,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:24:55.659Z", - "time": 701 + "startedDateTime": "2025-10-02T12:40:12.864Z", + "time": 1000 }, { - "_id": "7a99bac7e0baed2df14d56b80bf32a29", + "_id": "81fa5e680f0ffa43989ac073d26ef871", "_order": 0, "cache": {}, "request": { @@ -173,7 +173,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/zkg-owo-mcp" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/f9o-yyi-dod" }, "response": { "bodySize": 0, @@ -194,8 +194,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:24:56.366Z", - "time": 676 + "startedDateTime": "2025-10-02T12:40:13.867Z", + "time": 960 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/frozen.json index 1cdc69c06b9d..d6340184b011 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/frozen.json @@ -1 +1 @@ -"2025-06-13T15:16:58.034Z" +"2025-10-02T12:40:14.830Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/recording.har index 3b23c8a48154..f0fa57a81f30 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response_3686873779/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "258766a3d0c85c2b27cf0f2ddc6a4c23", + "_id": "559361c273e0586758320d2c7a32b724", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759408814\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 459, + "bodySize": 455, "content": { "mimeType": "application/json", - "size": 459, - "text": "{\"data\":{\"id\":\"alt-4q4-baa\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818\",\"policyVersion\":\"1\",\"priority\":1000000013,\"ruleCount\":226,\"updateDate\":1749827818428,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 455, + "text": "{\"data\":{\"id\":\"chk-jq4-tfd\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759408814\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408815282,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,15 +57,15 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:58.038Z", - "time": 901 + "startedDateTime": "2025-10-02T12:40:14.832Z", + "time": 1130 }, { - "_id": "b8d1628e733906f638f5374d03cf338b", + "_id": "04c533e8d1109bd54dfc2062586ac20e", "_order": 0, "cache": {}, "request": { - "bodySize": 382, + "bodySize": 399, "cookies": [], "headers": [ { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818\",\"policy_id\":\"alt-4q4-baa\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"inherited\":true,\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759408814\",\"policy_id\":\"chk-jq4-tfd\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 673, + "bodySize": 690, "content": { "mimeType": "application/json", - "size": 673, - "text": "{\"data\":{\"id\":\"ps3-64e-shx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1749827819065,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"alt-4q4-baa\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818\",\"product_tags\":[],\"updateDate\":1749827819065,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 690, + "text": "{\"data\":{\"id\":\"wmp-cka-8hg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\",\"inherited\":true},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408816380,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule with set action\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"chk-jq4-tfd\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759408814\",\"product_tags\":[],\"updateDate\":1759408816380,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:58.948Z", - "time": 563 + "startedDateTime": "2025-10-02T12:40:15.966Z", + "time": 1396 }, { - "_id": "2e30739b44e5f2cd6998ce6f2d27a7b6", + "_id": "600cc5b3b5851142ff3d3f0c6b7cef95", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ps3-64e-shx" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wmp-cka-8hg" }, "response": { "bodySize": 0, @@ -152,11 +152,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:59.522Z", - "time": 965 + "startedDateTime": "2025-10-02T12:40:17.366Z", + "time": 1262 }, { - "_id": "8c258b51492524fac829d30a4be958c3", + "_id": "8cefdfbb2699920da596daa1512da7ca", "_order": 0, "cache": {}, "request": { @@ -173,7 +173,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/alt-4q4-baa" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/chk-jq4-tfd" }, "response": { "bodySize": 0, @@ -194,8 +194,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:17:00.490Z", - "time": 854 + "startedDateTime": "2025-10-02T12:40:18.631Z", + "time": 934 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/frozen.json new file mode 100644 index 000000000000..6dc4d43a4237 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/frozen.json @@ -0,0 +1 @@ +"2025-10-02T12:40:19.568Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/recording.har new file mode 100644 index 000000000000..3d06e5eb09ab --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-respon_1491114341/recording.har @@ -0,0 +1,204 @@ +{ + "log": { + "_recordingName": "CSM Threats/Create a Workload Protection agent rule with set action with expression returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "f543dbf1e99d9533696cb4b028a15a4c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 217, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1759408819\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 469, + "content": { + "mimeType": "application/json", + "size": 469, + "text": "{\"data\":{\"id\":\"cbw-w25-hki\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1759408819\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408819928,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-10-02T12:40:19.569Z", + "time": 932 + }, + { + "_id": "66b838ed6175237f3449867f5eddc851", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 437, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 598, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"default_value\":\"/dev/null\",\"expression\":\"open.file.path\",\"name\":\"test_set\",\"scope\":\"process\"}}],\"description\":\"My Agent rule with set action with expression\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1759408819\",\"policy_id\":\"cbw-w25-hki\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" + }, + "response": { + "bodySize": 729, + "content": { + "mimeType": "application/json", + "size": 729, + "text": "{\"data\":{\"id\":\"csy-0yk-vqe\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"default_value\":\"/dev/null\",\"scope\":\"process\",\"expression\":\"open.file.path\",\"inherited\":false},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408820918,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule with set action with expression\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"cbw-w25-hki\"],\"name\":\"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1759408819\",\"product_tags\":[],\"updateDate\":1759408820918,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-10-02T12:40:20.506Z", + "time": 1423 + }, + { + "_id": "8204ac25cb9de2a189b98b2fb852c88e", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 546, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/csy-0yk-vqe" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-10-02T12:40:21.932Z", + "time": 876 + }, + { + "_id": "b5f20b9ec6e42a091171a0f091d08b38", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cbw-w25-hki" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-10-02T12:40:22.810Z", + "time": 829 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/frozen.json index 2ed530f2bd19..e1322563a5e8 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:00.102Z" +"2025-10-02T12:40:23.642Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/recording.har index d10e2b530a15..9d3e9d250be7 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-Bad-Request-response_2734753388/recording.har @@ -57,8 +57,8 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-05-27T10:25:00.105Z", - "time": 348 + "startedDateTime": "2025-10-02T12:40:23.644Z", + "time": 503 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/frozen.json index c60232007f77..943a5560266c 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:00.463Z" +"2025-10-02T12:40:24.150Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/recording.har index e82e8dbe4ef6..cde4f038fd7c 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Workload-Protection-policy-returns-OK-response_3444919570/recording.har @@ -38,11 +38,11 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 400, + "bodySize": 389, "content": { "mimeType": "application/json", - "size": 400, - "text": "{\"data\":{\"id\":\"sw9-gtj-ll2\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341500859,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 389, + "text": "{\"data\":{\"id\":\"8eq-tal-idk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":7,\"name\":\"my_agent_policy\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408824525,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:00.466Z", - "time": 721 + "startedDateTime": "2025-10-02T12:40:24.152Z", + "time": 818 }, { - "_id": "454109451fda9ba6dc0af650e4a3c0e9", + "_id": "9196865f8e30dbd8ef0ab4c427860f38", "_order": 0, "cache": {}, "request": { @@ -78,7 +78,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sw9-gtj-ll2" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/8eq-tal-idk" }, "response": { "bodySize": 0, @@ -99,8 +99,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:01.190Z", - "time": 586 + "startedDateTime": "2025-10-02T12:40:24.974Z", + "time": 1013 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/frozen.json index 935a9abf6c5d..5704356e2113 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:01.784Z" +"2025-10-02T12:40:25.990Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/recording.har index 6f479ee0ff14..d9400ad54a4e 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response_1214983173/recording.har @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:01.787Z", - "time": 556 + "startedDateTime": "2025-10-02T12:40:25.992Z", + "time": 731 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/frozen.json index 28fa9725df31..307b5e2f218b 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/frozen.json @@ -1 +1 @@ -"2025-06-13T15:16:43.100Z" +"2025-10-02T12:40:26.726Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/recording.har index 71d040182152..4735b05d2465 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-agent-rule-returns-OK-response_779044436/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "f5263bd7a7e1425ab1123cab47f353c2", + "_id": "a3c804505d12bb295fa088e7303f1ef7", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1759408826\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 446, + "bodySize": 442, "content": { "mimeType": "application/json", - "size": 446, - "text": "{\"data\":{\"id\":\"tn0-tjy-vwh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803\",\"policyVersion\":\"1\",\"priority\":1000000013,\"ruleCount\":226,\"updateDate\":1749827803539,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 442, + "text": "{\"data\":{\"id\":\"hew-mdk-ecg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1759408826\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408827187,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:43.105Z", - "time": 913 + "startedDateTime": "2025-10-02T12:40:26.728Z", + "time": 1293 }, { - "_id": "77fdc0bacd065c8bd1150767402fb565", + "_id": "22206811d3b25f5320f7843b6ea4d524", "_order": 0, "cache": {}, "request": { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803\",\"policy_id\":\"tn0-tjy-vwh\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1759408826\",\"policy_id\":\"hew-mdk-ecg\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 679, + "bodySize": 697, "content": { "mimeType": "application/json", - "size": 679, - "text": "{\"data\":{\"id\":\"hm0-n7p-hq7\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1749827804150,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"tn0-tjy-vwh\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1749827804150,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 697, + "text": "{\"data\":{\"id\":\"wio-mod-upk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\",\"inherited\":false},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408828403,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"hew-mdk-ecg\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1759408826\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1759408828403,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:44.022Z", - "time": 1062 + "startedDateTime": "2025-10-02T12:40:28.027Z", + "time": 1025 }, { - "_id": "102a27adc4866948f39a3ac93ef7120f", + "_id": "4deffb30eb094567bf7dc9ad4c7b82cb", "_order": 0, "cache": {}, "request": { @@ -133,10 +133,10 @@ "queryString": [ { "name": "policy_id", - "value": "tn0-tjy-vwh" + "value": "hew-mdk-ecg" } ], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hm0-n7p-hq7?policy_id=tn0-tjy-vwh" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wio-mod-upk?policy_id=hew-mdk-ecg" }, "response": { "bodySize": 0, @@ -157,11 +157,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:45.091Z", - "time": 966 + "startedDateTime": "2025-10-02T12:40:29.058Z", + "time": 1137 }, { - "_id": "071c70f0e64c9b2992b1d30b8ae116a8", + "_id": "eb9860c581d98a3f14904129c6830139", "_order": 0, "cache": {}, "request": { @@ -178,7 +178,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hm0-n7p-hq7" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/wio-mod-upk" }, "response": { "bodySize": 47, @@ -200,11 +200,11 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-06-13T15:16:46.067Z", - "time": 789 + "startedDateTime": "2025-10-02T12:40:30.201Z", + "time": 689 }, { - "_id": "df9f53da3e41888c18aa2a10201ae88e", + "_id": "b3671694a74dc79d4247bdf6ce1d1371", "_order": 0, "cache": {}, "request": { @@ -221,7 +221,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/tn0-tjy-vwh" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/hew-mdk-ecg" }, "response": { "bodySize": 0, @@ -242,8 +242,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:46.863Z", - "time": 1424 + "startedDateTime": "2025-10-02T12:40:30.894Z", + "time": 1042 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/frozen.json index bcdc027ea04b..b3f0fe55fd1d 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:05.781Z" +"2025-10-02T12:40:31.940Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/recording.har index 72c88413611f..c5b6b61a03d7 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-Not-Found-response_993484388/recording.har @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:05.786Z", - "time": 440 + "startedDateTime": "2025-10-02T12:40:31.941Z", + "time": 656 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/frozen.json index 0835c0c773e7..2ab6609a86e3 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:06.233Z" +"2025-10-02T12:40:32.600Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/recording.har index 6a837d007ead..263c39e08ae6 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Workload-Protection-policy-returns-OK-response_1572290023/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "6b2989ade9234d944200a178bcf1d41f", + "_id": "24cc75e55f5f4f1ecf6edb9300b6b8c0", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1748341506\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1759408832\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 443, + "bodySize": 439, "content": { "mimeType": "application/json", - "size": 443, - "text": "{\"data\":{\"id\":\"1a4-eoy-qob\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1748341506\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341506537,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 439, + "text": "{\"data\":{\"id\":\"cji-tgs-sbp\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1759408832\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408832970,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:06.235Z", - "time": 561 + "startedDateTime": "2025-10-02T12:40:32.603Z", + "time": 922 }, { - "_id": "7b152d3e08d3e49278b811fb01dcbf79", + "_id": "b4229b55bbb78045defa5830c96a942a", "_order": 0, "cache": {}, "request": { @@ -78,7 +78,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1a4-eoy-qob" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cji-tgs-sbp" }, "response": { "bodySize": 0, @@ -99,11 +99,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:06.803Z", - "time": 647 + "startedDateTime": "2025-10-02T12:40:33.528Z", + "time": 970 }, { - "_id": "7b152d3e08d3e49278b811fb01dcbf79", + "_id": "b4229b55bbb78045defa5830c96a942a", "_order": 1, "cache": {}, "request": { @@ -120,7 +120,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1a4-eoy-qob" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cji-tgs-sbp" }, "response": { "bodySize": 49, @@ -142,8 +142,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:07.457Z", - "time": 448 + "startedDateTime": "2025-10-02T12:40:34.503Z", + "time": 688 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/frozen.json index 3bbcad010799..f573cb02a8fb 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:07.908Z" +"2025-10-02T12:40:35.195Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/recording.har b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/recording.har index 55bc429e7624..6109d89495a9 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response_1630230774/recording.har @@ -28,11 +28,11 @@ "url": "https://api.datadoghq.com/api/v2/security/cloud_workload/policy/download" }, "response": { - "bodySize": 131981, + "bodySize": 151983, "content": { "mimeType": "application/yaml", - "size": 131981, - "text": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1748341508354'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n" + "size": 151983, + "text": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1759408835623'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name\n != \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - hash: {}\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: container_breakout_enumeration_tool\n version: b14ba979\n description: A container performed various enumeration activities including checking\n container runtime, process privileges, user namespace mappings, Linux Security\n Modules, mount points, and network namespaces.\n expression: \"container.id != \\\"\\\" && (\\n open.file.path in [~\\\"/run/systemd/container\\\"\\\n ] ||\\n open.file.path in [~\\\"/proc/*/status\\\", ~\\\"/proc/*/task/*/status\\\"] ||\\n\\\n \\ (open.file.path in [~\\\"/proc/*/uid_map\\\"] && process.file.name not in [\\\"runc\\\"\\\n ]) ||\\n open.file.path in [~\\\"/proc/*/attr/current\\\"] ||\\n open.file.path in\\\n \\ [~\\\"/proc/*/mountinfo\\\"] ||\\n open.file.path in [~\\\"/proc/*/cgroup\\\"] ||\\n\\\n \\ open.file.path in [~\\\"/proc/net/unix\\\"]\\n) &&\\nprocess.file.in_upper_layer\\\n \\ && \\nprocess.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"\\\n /opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\"\\\n , \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\"\\\n , \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\"\\\n , \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\"\\\n , \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\"\\\n , ~\\\"/opt/datadog-installer/**\\\"] \"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: core_pattern_write\n version: c6fdee59\n description: Detect any attempt to modify /proc/sys/kernel/core_pattern from a container,\n which might result to escape to host when a core dump is triggered.\n expression: \"open.file.name == \\\"core_pattern\\\" &&\\nopen.file.filesystem == \\\"proc\\\"\\\n \\ &&\\nopen.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && \\ncontainer.id\\\n \\ != \\\"\\\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - set:\n field: container.id\n name: core_pattern_write_container_id\n scope: container\n ttl: 1800000000000\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: critical_windows_files_modified\n version: e96784de\n description: a critical windows file was modified\n expression: write.file.device_path in [~\"\\Device\\*\\windows\\system32\\**\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_mgmt_socket\n version: f736b6e6\n description: A container management socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [~\"*docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", ~\"*crio.sock*\",\n ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] && container.id != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: delete_new_process\n version: f1ba8f89\n description: A file was deleted shortly after it was executed\n expression: unlink.file.path in ${cgroup.chain_exec_unlink}\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - set:\n field: unlink.file.path\n name: correlation_key_file_path\n scope: cgroup\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.id != \"\" && container.created_at <\n 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: devshm_execution\n version: 9850af87\n description: A file executed from /dev/shm/ directory\n expression: exec.file.path == ~\"/dev/shm/**\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dotnet_dump_execution\n version: ba3fb472\n description: Dotnet_dump was used to dump a process memory\n expression: exec.cmdline =~ \"*dotnet-dump*\" && exec.cmdline =~ \"*collect*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path not in\n [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\",\n ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"] && process.argv0 not\n in [\"runc\", \"/usr/bin/runc\", \"/usr/sbin/runc\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: execution_context_auid\n version: f26b612e\n description: Track execution context from auid\n expression: exec.auid >= 0 && exec.auid != AUDIT_AUID_UNSET && ${process.correlation_key}\n in [\"\", ~\"cgroup_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"auid_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_cgroup\n version: a70f0019\n description: Track execution context from cgroup\n expression: exec.cgroup.id != process.parent.cgroup.id && ${process.correlation_key}\n in [\"\", ~\"cgroup_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"cgroup_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_cgroup_write\n version: 87d33061\n description: Track execution context from cgroup write\n expression: cgroup_write.pid > 0 && ${process.correlation_key} in [\"\", ~\"cgroup_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n scope_field: cgroup_write.pid\n - set:\n default_value: ''\n expression: '\"cgroup_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n scope_field: cgroup_write.pid\n- id: execution_context_interactive_shell\n version: 673abb40\n description: Track execution context from interactive shell\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && (process.tty_name != \"\" || exec.args_flags in [\"i\"]) && ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"interactive_shell_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_k8s_usersession_entrypoint\n version: '40945946'\n description: Track execution context from k8s user session\n expression: exec.user_session.k8s_username != \"\" && ${process.correlation_key}\n in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"k8s_session_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_service\n version: 3fe535ef\n description: Track execution context from service\n expression: (exec.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\"\n in container.tags) && ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"service_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_service_new_cgroup\n version: ec46e6bb\n description: Track execution context from new service cgroup\n expression: (exec.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\"\n in container.tags) && ${process.correlation_key} in [~\"service_*\"] && process.cgroup.id\n != process.parent.cgroup.id\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n - set:\n default_value: ''\n expression: '\"service_new_cgroup_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n- id: execution_context_service_new_cgroup_write\n version: 8137122d\n description: Track execution context from new service cgroup write\n expression: cgroup_write.pid > 0 && (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"]\n || \"tags.datadoghq.com/service\" in container.tags) && ${process.correlation_key}\n in [~\"service_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n append: true\n default_value: ''\n expression: ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n scope: process\n scope_field: cgroup_write.pid\n - set:\n default_value: ''\n expression: '\"service_new_cgroup_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n scope: process\n scope_field: cgroup_write.pid\n- id: file_sync_exfil\n version: bdcbbeb8\n description: The rclone utility was executed\n expression: exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: find_credentials\n version: c16ed3fa\n description: find command searching for sensitive files\n expression: exec.comm == \"find\" && exec.args in [~\"*credentials*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: inveigh_tool_usage\n version: da9cc26\n description: Process executed with arguments common with Inveigh tool usage\n expression: exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\",\n ~\"*ReplyToMACs*\", ~\"*SnifferIP*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ip_lookup_domain\n version: 61534f27\n description: A process checked the public IP address of the host\n expression: connect.addr.hostname in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && connect.addr.is_public ==\n true && connect.addr.port in [80, 443]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n && process.parent.file.name in [\"java\", \"jspawnhelper\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_user_session\n version: c8407c7f\n description: A process was executed in a Kubernetes user session\n expression: exec.user_session.k8s_username != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.loaded_from_memory == false && load_module.name not in [\"nf_tables\",\n \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\",\n \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] && process.ancestors.file.name\n not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\",\n \"ssm-agent-worker\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_process_masquerade\n version: 817d4169\n description: A process is masquerading as a kernel thread by using bracket notation\n in its name\n expression: (exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0 in [r\"^\\[.*\\]$\"]) && (process.parent.ppid\n !=2 || process.args != \"\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: known_dll_registry_key_modified\n version: 49b8fe22\n description: Windows Known DLLs location registry key modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\n Manager\\KnownDLLs*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: ld_audit_unusual_library_path\n version: 36430a84\n description: The LD_AUDIT variable is populated by a link to a suspicious file directory\n expression: \"process.envs in [\\\"LD_AUDIT\\\"] && \\n(\\n mmap.file.path in [~\\\"/home/*\\\"\\\n , ~\\\"/tmp/*\\\", ~\\\"/dev/shm/*\\\"] || \\n mmap.file.in_upper_layer == true\\n) &&\\n\\\n mmap.protection & (PROT_EXEC) > 0 \"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\" && process.parent.file.path\n not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\",\n \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] && !(process.comm == \"dd-ipc-helper\"\n && exec.file.name in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: mining_pool_domain\n version: 4e0f8e8d\n description: A process connected to a cryptocurrency mining pool\n expression: connect.addr.hostname in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\",\n \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\",\n ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\",\n \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\",\n \"miningocean.org\"] && connect.addr.is_public == true && connect.addr.port not\n in [53, 80, 443]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: mining_pool_lookup\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\",\n \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\",\n ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\",\n \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\",\n \"miningocean.org\"] && process.file.name != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"] && process.argv0\n != \"runc\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: |-\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\n exec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\n exec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nohup_usage\n version: 8a570532\n description: nohup was used to ignore process termination signals\n expression: exec.comm == \"nohup\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.id != \"\" && container.created_at > 90s && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: overwrite_entrypoint\n version: 38eea29c\n description: A process attempted to overwrite the container entrypoint\n expression: open.file.path == \"/proc/self/fd/1\" && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY\n > 0 && container.id != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: p2pinfect_connection\n version: 169317f9\n description: A process made a connection to a port associated with P2PInfect malware\n expression: (connect.addr.family == AF_INET || connect.addr.family == AF_INET6)\n && connect.addr.is_public == true && connect.addr.port >= 60100 && connect.addr.port\n <= 60150\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - hash:\n field: process.file\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"]\n || link.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_open\n version: 9440f452\n description: PAM may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: paste_site_domain\n version: ed730586\n description: A process connected to a paste site\n expression: connect.addr.hostname in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && connect.addr.is_public == true &&\n connect.addr.port in [80, 443]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.id != \"\" && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pentest_domain\n version: c05d76a\n description: A process connected to a penetration testing domain\n expression: connect.addr.hostname in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\",\n ~\"*.oast.fun\", ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\",\n ~\"*.requestbin.net\", ~\"*.dnslog.cn\"] && connect.addr.is_public == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: perl_shell\n version: 2eb4b1e8\n description: Perl executed with suspicious argument\n expression: exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"] && (exec.args\n in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", ~\"*stdin*\",\n ~\"*stdout\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\ to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name in [r\"RECOVER.*\\.txt\"]) && open.file.name not in [r\"\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\",\n \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - hash: {}\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\",\n ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: relay_attack_tool_execution\n version: f078acb1\n description: Process matches known relay attack tool\n expression: exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\",\n ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\",\n \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\",\n ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\",\n ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\",\n \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path in [~\"/root/**\",\n ~\"/home/**\"] && process.comm not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && open.file.name\n in [\".bash_history\", \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\",\n \".sh_history\"] && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name\n == \"truncate\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: sliver_c2_implant_execution\n version: ec10a8b2\n description: process arguments match sliver c2 implant\n expression: exec.cmdline =~ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline\n =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.id != \"\" && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.id != \"\"\n && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: static_pod_manifest_created\n version: af289296\n description: A new static pod manifest was created in the Kubernetes manifests directory\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/etc/kubernetes/manifests/*\"]\n && open.file.extension in [\".yaml\", \".yml\"]\n && process.file.path not in [\"/usr/bin/kubelet\", \"/usr/local/bin/kubelet\", \"/opt/bin/kubelet\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n ) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\", \"ctr\"] && container.id != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", ~\"/opt/datadog-installer/**\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: \"(\\n ( link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\"\\\n , ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"\\\n ]\\n || link.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\"\\\n , ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\"] \\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\"\\\n , ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\"\\\n , ~\\\"/run/systemd/system/**\\\"] \\n || link.file.path in [ ~\\\"/etc/systemd/user/**\\\"\\\n , ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\"])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"\\\n , \\\"/usr/lib/snapd/snapd\\\"]\\n)\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || open.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: \"(\\n ( rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\"\\\n , ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"\\\n ] \\n || rename.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\"\\\n , ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\"\\\n , ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\"\\\n , ~\\\"/run/systemd/system/**\\\"] \\n || rename.file.destination.path in [ ~\\\"\\\n /etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\"\\\n , ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\\n \\ && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\"\\\n , \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"\\\n , \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || utimes.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm\n in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\",\n \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: unlink_self\n version: 9f65729b\n description: A process removed itself from the filesystem\n expression: unlink.file.path == process.file.path\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\",\n \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: windows_com_rpc_debugging_registry_key_modified\n version: 9b71ec1\n description: Windows RPC COM debugging registry key modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\n NT\\CurrentVersion\\Windows*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: windows_security_essentials_executable_modified\n version: 28b5296d\n description: microsoft security essentials executable modified\n expression: write.file.device_path in [~\"\\Device\\*\\Program Files\\Microsoft Security\n Client\\msseces.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: winlogon_registry_key_modified\n version: 494de453\n description: Windows winlogon registry key modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\n NT\\CurrentVersion\\Winlogon*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n" }, "cookies": [], "headers": [ @@ -47,8 +47,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:07.909Z", - "time": 893 + "startedDateTime": "2025-10-02T12:40:35.197Z", + "time": 1043 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/frozen.json index 074ac63cf239..e0034a94e311 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:08.813Z" +"2025-10-02T12:40:36.246Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/recording.har b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/recording.har index 2de0231bdc09..206fe4c938e0 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Download-the-Workload-Protection-policy-returns-OK-response_4266008950/recording.har @@ -28,12 +28,12 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download" }, "response": { - "bodySize": 27448, + "bodySize": 38860, "content": { "encoding": "base64", "mimeType": "application/zip", - "size": 27448, - "text": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXl32ziyOPr/fAoM35z52b6hNi9Z3s3Mc9vuad92Eh/L6b592nk8EAmJiEiADYCS1ePJZ/8dLFxFSpTkeEmUPm0RYGEhagFQKFT9P+D83eWHq+vj99dvwJmHBQeCAuFjDoY4QGCKgwAQKsAAAYaGAXIF8gAmQPgInEIBPToCx1EEIPE08AABOkFsyrAQiIApFj4gaAoiGmB3pmv16JQEFHq8BS4DBDkCIfXwcAZYHCBeVf2QMjCMgwAMY+IKTAkMsJi1/jJBjGNK3oBu62C/1bGZ+6rzF1XLm78AYAPsvQEwiiALKXNUIxh5jhCzvwAAgIe4y3AkVA3HRLZ0LCFBxKj+fMhBUkp2CxKAiUAMugJPEOCIy9ZVXUMcCMRUs/KfDSgHb98CK8AkvrVULrqNmC7xBqBb5LZkGy0CQyTr/t2C0PYwh4MAWS+ATLk0jAKIiUnC2MPC+gT+/nddXIiZo0r/9a2lWzDFvTdgCAOOVF7EqBe7whFwlOudkJ/gvrk+7nQ6h7aHhohwZKMJTD9IQSHXJ/iPGL257h4e9WwcRhCzBJyncBq5b4TPEBS2hwRSSMpQIHvuisCJORyh+bG/9lEKA1wahoqcIAcxR56kSEMfCsa7h/GWkEmDVjqgkI24MwzgiCuaV0jhcvAD69PTH1/PcSkZ4lFK5wvG2QMaNmZQvgHz1C4Zl8YCxByTUYqcdYaeRojooY+g8BVkGwm3rerUf72W7I5ChIZWOPg72PngnFydHV/ffXCurz6+P7n74BxfXp69P7374Fyd/np198H59erD+4vfdsE/QEcWjxh1Eec5VP81j+rngEUpvhzZ/2aI1DLzARGo2CKHQdWBlqdTLZWSPFPGsXnz6XtH8pQ7boAXScLjX/vg5OIcxALLWU6hVcqnWKB7k31Tvskw9Wzdn7oBOjrs2m5AY8+GXogJ5kLLGdvI9vJoDRAXdqSmVRetNJRozB2O2AS7yIGuS2MiHEHHiMgU4ryOeeQYn/3cB6YsMGWBKqtGvFB+xREvi7wvwGpPIGuzmLQ5chkSvI3GvAVD+CclcMpbLg3bpi+mK+29vZxALGBPddKa4wTVVjpxtWkk2p5eQ9lwhIhoo3CAPA957QEmbZWlGHUJIJ9xgUI7YnSAGsEjN2ZYzOzGLZivaF5AMOiiheDpF1Z/ZxtGYRuTz8iV0klQRz87LCaugo05U3V4nu1TLmxMuIBBUPnOpURATBCrg6oGqO50kuMGMReIpR/5pVgggu4YjhCXVDL30rSCmHy7ycrlyHYZ8hARGAa2ZohqgXjYs2OiEI+8XJnVxCIOPT7PrXJd/msfnL877Su+dOWXeWCCIYCAIDGlbJyIynV4VUlHKZc020xHSFGLGzOFpmAa2cl+Jbf2lktFVeCLtdc9et3qHR60zG87gAJx0Q6RgLZESRvDMOOK3Oi0Ne6yCl52Wr2/Hf/ad04+vL8+Pn9/diWnxtOz99fnxxd95+rs4vj6/Jcz5+PVeUXJ9l47V/k/sff2iWF/TTH/Z8zQAuKQr58TeUi60GShxknM2hTGwu+1lVj/J4ywbba13wb+BpCjowPHQy71alY8GqRy56eLAUyGlIVQ3M92W0LqNis3fwrT3kZj32wh2T3o2B6ig2HMXSiQTeWCUn6vLfvKZbr84U1G3EVMSJKvW2SemPeFlaVS/DBIeIgFoCwZeAgiKjQ9BDMQwgC7mMZ6w7EQE1NMPJosM5fgIulwC90ihZGdHc13oRdggtQCai9mgQtdH+1lOCu851GAxZ61C+7uKt7qz9mzdtdHarebrF9t+b+c1RkNqhHbObQxGclvtgWlga1GdohYcxz6UDBKQ4ehP2LERYXsA6fv+8C81ns/6CGlKoNpceDREOK1eMYjvKXqxpTktFQe5i5lcsceKr1UhFsCBWjEYNiibKSEo0daBgxGkYLcgJdWGPbDlz25ThXUlUMeE4ICTEbNx5yGISUOQcLBRLBYjoMj6bJq8EtzC9jhsesDyAEJYbRr6gpmWpBhpTjUNQIoBHTH/L73dQo7snGJghBy7kKlORxGmCi0/DlicJA+9OQTi7lI4CKinj4tVIf9IiHN9LQJUjsvbUUhE8RmlajsHBzZZohtszGqKNEAoxEOkAOHAjHHQwFOi5fQaSAZmDIqpNjjMY9ysk6pf0G6kl8HX3e2ASyoP4z2A/wDdMxrKf/MIwA7VXtJEUY120Oz5miNqVogtvasT7tpXXd3VbqcL3pvaupUmwlGqUgSe2pbYl7ITU1AXRi0AzzIdhcA7Ob6nmxKs1XTZziBal/lBlDT4shV6YHrWp9kv5IykLiIC8rWK11ihuYFs2ZXqiL31fNdSHkmwpEavWgmfEqyMfv73zN6amFPKbHqtTJQUXaO2HzI/Tfg3/9pyHALViQ5qAM7YniCAzRCNuIuDGCtkqfTe2mnSxdv8YqlKKQPbB9/hu440yLZw4BOV+Vq5mDiFDmylqnzCx1MOPYQoMNNGXqntDlYTm9VInt5qZ2KJdOIWpW7jUGMA89wLoslte3uVlCaVVAflchfiQZJjakSw8UBjkOjjNhA6jdbFq9CWRttTVwG3XEII0cOo1OYiwuU9DOhUwLoUHYdTxCQS7q0sMJBs4l88Zo4Wa8aTCb1y3cGoW6I5BI5l4pmD7NH7HT2bcrzwF4cRistrtKi2UGs64e0Yrj7cpjVCWtWSE3CHEwRQ9kZhznbAIQSmwtIPMg8hZx1uDmdnrPJF4Ad1cXSjGkON7gPPTq1krOOkUmD3Iw7PzUUlLTAanPJXhMc6XokvxVzTGrEyu9zOYpDE/720mw9Ude8VLpG6o6rC5TfqDZHjMYR9Eq5MUesMjOkFZkeKmpHRxHkfFrsluvDESoWdf0KOJMFPlUPd5VQSwb+S1YLjMRecVSi8aiQwaKwkI4JFAIRD3l2HI0Y9FDhNVHguRYiHM0tn3L5GeAsDjOcw2icIQYP2pzAyNN/s1WXkuwZhXpyt0aUgGyFcvf+17f512GqgHkaskLZN2CJpyVSgk7JU5cSdFpeV2+lxFZKPB0pkSfRvJiI9cYj91bm3N2BGvjRHPwIexso1R5NqgSYjJ+2UJE9XFGm5Irf3YGsgjwGG1e2FVBbAfUwAuoZig8aIeJMek9aghTNrHJ2VgWzqsTuajexr8rLoAp94VZsbMXG0xAb1RrUYq7LEBTIc6AA/wCvO/wZihqGCAwrjnGfkKTZ0X1cUVIUVyv5Krbrla3gecKC5xkKkZg8/Q2P7uOKQmTL9Vuu33J9HdcLHKIKu8knxfWqj1uu33L9luvX4XossAsDh6ER5oLNHHQbUVZhL8jQCHlYpJa1Gi6tACQVAB9P7se0U5k3MDRSZp0vgGV6oJKf5ow4zbG3Pw5Cc8Dtj9HMUch0Quj6mCQn3/pKSpKA6ZOxsX8+R+IGd2ZA1a0/vuDaH8ywZYrMX/xbD3NThkW691K3qXL2YTenKutm78aUv9EI2O/dbHjBpKE9yP6RHUL+RyzFYFO2oMSBwvlMB45SAWBK6swNjgmICYyFTxn+E3ngMx3oG2CepzlFVga46yMvTu1J72XqqzQuMPZ4PKI0aMumU7M8OQXKjNbeXJZQlp3FDHU5aKWZMhXYojhbmAbApufOS3rwNaeM+5i8V596NuGNZZcsO4f7tiFK5NkC8rFNmf2ZDhrIH7Ae+1Sewz8m+1Scuj8X9nmAA9ktuz1ndqvW1zwet1XpZu6Z2XLNNTi+Xrvx1baPjbl6y3PPnudohJ7SDFfnJ6PSLUaeV6uObddmlwecGLcs9OxZqO608tGYqOZs8p7ZoTh1LT/LXLv57eS15bxqzqs74ns8zqs+0Fub9LcT0ZYdVmCHmrOvR2SHypOuLTts2eG+2WEWCRrKIXEgG1XxQIJHEMCYyG5oT62QjeIQEcEB5Jy6GIrkTa5Ovg5HZB4FqOpDcmHVjWI7YpjqcxuJCY8SKJAdoAkK9nLXZnPuCGQ7DBKPhrd2dzSwIzhC3CpAJsdJyvVcHP6XcA2i0xzOg2JOdx6oOw/Vm4fq5aAIdpEPuW+SM8QjOkVsETFteLP7oKOcEbqiks4OXh/ZDHEaMxeZa9erHVFlpITIpIKULg0hITLBjBJJPWACGZafyUEIhZsQjxszhog7A6q6tYlIdkMfLV5++HDhfOyfXUke14mri/T58rjfl4nTD++Pr8+ci7Nfzi42YemvO85xxB0ewSlBnsN9FFT4HOnL7JRxDTAYMhqCiGEilDPDDQZ2iPPuNAsXxCPIEBE5CFnXkNIQCuzaDEebXArv2pjgZaet3dcdG91GAcXCjuJBgF17CF1MRjaMogC7K3pIilng6AnC4fKn4rz82kfgVIEADaJWCQwNkaRi4xAauB+vLkDereVmI6+8IcWs2imxIvqY4Ftbd6jG4Zj+rpaE2dMg80bSG6BrmeeWo+5+zuMhJF7GF6s7cPGggAPIkeYJpzinlqa0BBbkKCJlEwhUDS/0T+K15wWgDPx0fX25iYu4bLGXITNvyKQWI5D71gsDB/KrlPILmVmVJRSr1dRSUWBQ1+LciyTT1m1UFvqzprK6Rtya/HFNvqgqEOBBW4oGBsOh9qPFdWdjPhvQ2/mPqMhPGhjiiq8ec//1/lwuK3cyyayADapgw7rMRSPsch+yaK5YRGtGjLnzNFKHjVkVyv/k/mFlZtJLINdeyXu0kh/EUrkiS+iWXLnpMI/+SH55klBWbUmCTkmaSGE8KFD6nAJ7w/QJs+QRuT5NnoO0qoAnT+E4BxyOSdZ2OBYoTJsMJ8lTNE1BGIJegMk4TYfZU65aHiCUVsSFmKXPM+Imz4LGrp8kYjkZJImJqSrlOaYBU4bu8TgsZECO9nvlnKODck7SSEqCvktJIWNcqlkSQCGtnO4VcuJC0sPMpQFlvJRZbtqL8ylEJoXkbQSJV8opDMkQuoIWc8JCP4Y0KFSgDC0LnfIRLED4lAtcyCmlEle+WdZnigvDl5BGmqaj8neH3mFpiHVOS6Bb5RKx0MdwPMRDms+R241CutAhQv04KmTIBV0hIw5LI0ULXxlBLlAxQ/iuX/isCJPxrJDBiilMRAmjKm9YyBG3+SRDMJBNFfJiUqJPjv4oJH3YLY0m92Gvd1CReXg0n7n/qgLysFtmL+4z5BUz4sK3cMoKQzrHJFLAFtPeoFRFsUkB3WISF/AsEComeaF6gUNEi3wpWDEVExcWES3KX2HkVpKMyTxbxgT/UUyXWSDmqCgLpoUPm/q0lIQhTnKMmTKjNJ05khn/0252AFq7Z1FzTzjjfwRKKRRSMtL20xHlYsRMcAJTy193Fu595LLEG1gZfLYKl69tFyhdEgI2tHYb15p2pKbeL9ZeNHKmMNjIj+ljbLg8NIhHQ77EY5vcchnIssu2TX21ZesXCWQasZ755ggFSCBHG+M6AR3Nj2im6NPAnnFMCnQhENCRvvexzphWHu9kkQ5iESpfpCojoKP2tJwxKGcEkIuAjgp5Q4iDch6f8XJWiDhXasACnHJqXciCsfBb5cIDSsVc5hgxojI/5VUhioZS3445JXNODb2BlqmpSfTLjo2JJ9mQMpuhkE5gsALhRAGdORHDk8UOFFNnkF7GJtrNur5WvQ7V1OmaVrjJ/d+gyws4gZETIRZiISn87+Dk+NLp/9Z3jk/fnb9PPauuh48VPGIedbsKJEK2oCo2RAOMFN6X3Rgm6JpwP1ys/JADmslLpRRse2jS5n7YBh5mSC6Q11JvlHZwEjKteW9vE2HZjNQPjw5sH3vIhkxgudBvHlXCw0zMnAhHyIFC7uYq1HyXiXtzcCqhgYQGZuLTKqR80RXHbkcu/VzUUl1ARLCZUuWBv4PL88sz54ePPzo/Xhz/yzk5fu+8O7v619mupHwV5KhY9BaLpSXfJiUTtjCmxIWYScZcuLPJ+mEFlugcvbLzg2kPKVtcegWc5iteA7GbI7QJVv4BOuA7wAoVBAnHi8NokZw6zcCKUR5kBkzXKiEKlwmrZq5Utet/1ai6nVUXO8ClQYBcsZE0e22bWmpHXQo8KKAtpbOt9ge2XoY1H+YZgSF2lW04YknAv1rDn3RANYRSg5sqgK7CxAFU08c6/FCzBETCbQdei9NWxJDSCb4A+VwV7i+1X8jyWl57T7/89HjGBqsZCeRLrni7dD06W4HPN3e1XU1w6rbgInrTTvQFvXd6q41FeA/Udp9RCR+MWB/JMgY0vAW+NJRb45hv2zB0zzsMXYFi2GjSyWhk7nMLGTzNeTZSUxZzAl552/hnxAgKQEi9OHW3EWAuUmcbwkdAld3YrCBVd6nqNlnbLFNrdV71zFIm76R/DZWWGjmt9p0fumsfAf2uECoMNXG932icjL75aw7U/n4yUHQqWZEyO+aIrT1ULOQ1ilT1SnZ5xGB4n4Mk691gjL6qHZX+TNkpZ4CFo2x6q4cngwQDLIoWwBAQNA1miZZr7dVKahmSuwyPiRNHEWJOAGeIZYr+HIjrQzJCjsAhAv8N9js8B1WlJJuvocGF/Gbl/g76zvn/fuxf3cnff11dqt8P1z8VL53lBbuW6f91u5G4bqYa6vV6KjqIUqSnSi5bqQIVCrit3WKseFoh63T4jLgOuh1Whf+SBMTcgBL0taI064lRNSFnQqZNBYDFh0KpzM0Pd9WPp3+YG20y6t2Orb7XRGuuHPLOwasCkC2Flg3lp0q6maA0ANsKo008J3OjUmFjKiFSkc8RZK4vZ8ohZYCnnqzWPsYoijfZVnVonVwXN7MNb+phpnFgztqhHblRfeTUf51cPuW4qUmc1NaI0pESnIrGgrZLwygW6F0SR3XS1cYYxEVJDG3bBNHmbQ8NYRwIHVxV22SXA7JuUN+TooL1YiD52PMQUa6HFkRAOjZw+pxh/mw2Hy2PBt4GZ7S5E/EvwGrlNHbFbf8Xq+3TEKU7j3z8unI8u9xxxSYYazYpbXBeIVnVmXTr4rbmQmFPuoXIn5jzeL1pRzbZUrH6nYjRCfYQU+Bwqk/H1Xs45S2sA3Q7k558r4ZtTuuRj3v3t38XviaJ0s//U0KAYLH+1LlrEByJJCH/ycpLQ5RWmgMbYhR4b+b7lQOBUYRIvmn9T4jgDeh20n8NqeKr87GhDSn+ZN4kMYZeEv2O5IsYs2dJK1xAdq9h8NJVbgWXbs2ft+bPaeazM3+uu4OBK69VbGQ4tOy+4JE6X0oNh7wQE8yTNXheUdRoniEThEe+I2mqbrJJ73Ul83zpgqCxI1K557o+HRcxq2+zszuzDOxHlA4RO780N+quUBTMrun5JS9mnKpA16XMd8cnSU6f4KGpZ5M1wNJTvsPDlzb0JohxyGY2JrbwkR1izwuar8lw5Lg+csdOLnp3aTl2+r4PAkrHsT5I9eRWVIf+Pr8EqjAwk+NCVNSI9JrY39iFxId/4iiJ/o0jG0Y4SYUzHLWonFsJT/JUV3DUgiH8kxK5kDAvpj4UmKsicAxDqGuZP/bLjIQ2wNpStVz3KFHLJUGn9UFVzNbVZOJIKZe4g1QYeAcGAZ1WLa3P1HsgGBwOsQsMnFEGJ7Wsg8TivjapySop4rVIY9aHj9eXH69bezs7vcPfO/bhp7ud3u8d++DTXffGu/u9a7/+dLd74+3etP55M9j998F/WnvHJydnl9dzqv0sXDizdrq9lzet3budbkf/vOzdtLq/H9mvP2Vp2Y5J//8qY//3jt01AK9lgaNXOnH0+kZu2W5auxsxcdOFfE9pKjFLwFdYyTNXLs5ITlDUHJWqoP2QABqLAY2JB86vTkCp6IqIN6Vb0PNYSzn5ffsWHB0dvTSTVvYSc0fb9kqIdDm81qCuEKa/87KbNyK2lSZ0db3RZziB5XuBjrarrhpwCQ7Kt2e31wK36+LtujgP3WRdvL0WaG2vBeYzttcC09T2WmCStb0WuL0WaPIe7VqgmW8WuTJRc49cHMoJ67NaGPooiBDbaIvxCHfsPsfRTCDWxFXG/2hQuVFDA0rHmZbHLIhVoRUXvDtVR9h6Pk+m8mQWTyZwNXebaVvN2Gqy1hObmaLV7KzkXTInJ9NxOhOrSVjPv7mpV826yYSbzLVmmjUzbDK5JvOqmVLNTJpMoOm8mU6XuVkymRyTOdFMhekMqCe+/HyXTXNqdtMiMGUaM4WlM5cWw2aeSqcnMyulk5H+k049ZsYxA5HNL+m0kp9G0tnDTBpqrkimiGRmSCcENfKJ+M+kfiLsVedzoj2V6FqQ5+R3Kra1tM6EdF4250VyXhLnBXAid424NfIpGX8jU1NRar5fCU4jL7WYNNIxE4pKFuZEYCL5NAXl5JwRb6lUS4SZkmFadKUSy8ipzKtZiV2WLqArS+ndoqX/ZDtCnaE3dvmfdL9hqf2bpd+orZal9iiW3ndZ6c4p96R3TJbZ91h6V2Ql+yBL73ysMPvJWkv2MpbevVhyr2Lp3Yml9yKW3n1Y+f2GuttdYWyc7TqM4LONNFNy3GQFcPDcxPj4FXci6iVnm44xPXCUxYGju1Fn1PZzPECMIIE4iKiXaICBqQKoKrSpW76aFeV8qtioMMb/kl3/5chlSPD2OO1TC9PEoML0KD2hX6XAp2xSz3qQ3qHXhhnz8/7WNn1rm15nm96AWiS5JP11cYDjMDe4LmXII7zwUQaIRohBNZUDqx1CAkdIPw+DGBFhD7D+qCxpVdzjCGjs2YR6yM5XYRjGlvIQ2S7HKtcQWPGN7TE80UpWZeNhw2mpuzDALlVtpEMPp7ytz21s1YMpFK6fp57qd6o8GWFya2OiDjcSbXBgOp5iLhaUu7CcHTEaUSalmpS7RRgfRozezupqlrJDTRzIDpFg2OWlwbZHY2Tr0HemyEApDrRtmW0GTn+CHG+BWGgsYm0fEi+YQ191jRMYB1WolB10hSZvfQVQoURKVlQMNznCIoADm8Uk/yarSbVQdetHs75CeIAJstVtraoaTMS/5Ay5MJBlApxDWBOm+du/zSvEzcSFyeg/8wW3N4i2UrqhlG7kQLfScqyCFHMwVWZjkg5zIIvMxo4e32ysfkGpbhw5+sZRbRBEQNDUgJrLSdmdiI1WiY0iHgZ40DZXolJKiM1ZTy5/heAXX/PS5WqXJfMlV7whPPed33LE3WXf+de3uWrH6Y229cNRrrcl3LcjxDjmApGcmXWBZQ9e2gNKhU2ZHdARJXreFJCJCisvw74VftzLjFsdfvGhGLc61uKWcbeMu+w7FzPuAwTCfF6MXufM40H4vCZgT2M2z9XVLIRj45q3AmQrQOYEyHNkbwor19/zrC0h1+NtWdK019K1OENGQ0c7Vipc4MmD5u/v/G6RoWNMRl+k5qOO7ojOOSpnDaLC60JxA0x0rCEydBhSO1UcTQ5MA87V2f+cnVznm2NwKpOxFzkehoqQsfIgJROL6KbwKV+sIQxcShR9VtM7jERLKwi8lgdxMJOZt/oD7ACNoDuzwzgQSsfGudH+2VPKxhueFNfQ4cIL88uLr03G93gZf57uF3ubzFxMaprV9/CLjLEpNyz0ObmRjfl9I2KN0c3x+CoSRruLbOB0rcH4VkubzUyLn9jQLibiJoOc3L3b8OJds3H/tui8JkLzgyyON3MQlquoLj7zdi28XQsv+85vai1cGyz6Qfi5PjJ0Y0bM1dY07HPjurdMvmXyb4HJ693TPgiT1wah3jLilhGXfee3xYh1EbEfiBHrwl9vGXHLiMu+8xthRM6WO8828Sa0K0pE5HcBWUg5h6WSQVFg8wi5eIhdoI24NonKnboICKmnjaNA+UK/cpIfcranvBPoT+CbeMv/qk5AJXk4AeYV18Abed8d36vzXUWsoMrDnWx4M28kS/1a3Jdf3jGhU+J4QeAYo8GZM0YzR3vXrLJG/1X7eAE/y4Lg9OKCq4ho8iVIqgBjNAOFKlb2GMORaCXVtWSP0onli/XTz2e/ORcfTo4vnHfHJz+dvz+76f/Wvz57d3OiIpGLE23y2Efixjze9HXF4J02s71R3Ze93wxPDR1ONHU8XSVgUqN5xyPcQSQOEauJjJK7JXD6vg/KsCtS+7yvGOU/jsxa8n8+cVvGBLClJgrFCoUyYhapMv2rXyp0lV/Z8cvBUerxJfH1uDp3BJ5jIg84MYl5DAMnwAMGmabHeQxc+whcnDqXV2cXH45P03j5AHMQ0SgOlNfhwQxAdYKuXRLnXSziAN1DUKc0kv4XK+vM2z3tOlHN77nszIniRpzwoH7YAzyIYOigQTR0fEor9qAXGk0GssUpkHDpbIB+uPxxneEdRMOWG3oS5IfLH513x5daWXw2N7Ni5SZHN3/T4nSjwW1qU9o5PLIxiWJhuzASMUPNR5RSgmaOiNWyhCchmCoGVgGCawMIdk5+ObN7nd6+ffC6290FpmC22FlnmLO7cJmz6v7H89MkJEf2PsYKGVluPgpTmRn2/nVx/sOJc/3x/fEPF2f9ByP4+w/LFKJwqHwrw6olp3oL6OAzcsU9RvSTi0VVdaXv1rfJ2WvCBvkL2YUtTW6/Uh0PorDHUTFNbJUP5AsWJ5nyUW491ct2SAeztt6l3L46co4O7AEVIkBMwgpbfaI9InGbz7jNKBXFXqiNShbGNYso6tk4cm1zc7z43dlFTTUsb9Qdc0ebDjiCwVCikSCwY2J07sreLQRNbravR5LNViNHvY7N0FD5upsg26UesuUUt8pKPMQEq5hgS5wMmhNL5ckuDqPCajypAwxjomrXJ6kuDfnE5S1vyWX1Zs4G1QbnHSb4dGGUMNXkJvue5iK6s29TngeWY7Dq2JORE1EaONpT4Pz4Z5tOud0KJsrmQq4JFclCzqmLYer80WWzSFBdr7p0MVnTNVa1e8Ev1l4rxATdhiz1KFhISgACCZWf1KJM6TRKaQnC4yiiTOSqmcuRYO6+Kpf4Kcyn5OuopzKwuk6cT8iXSPjqXhhKulHOkEDDXr6BQko1QCUrt0Kla8kn5EsWBZCI1u3sT/m2kDLDhMmIugiSpAflrK/jSfGr7tuTraB2Rm78W0saVk6fJStUKC+vkIuICLKNpF4dm9LIA7krM1pynL877a9DtcoVdswCJQzae+0QCagC+rUxDLPbYrn22lqSVAb9zgemSEJ9dHsdDu7uimirAtzv8E0mgKZCaPO7R6G6uu5TLpxhBfLkPki+1DgzManlLKDK3Uvgb1VTS9NktgJpK8Tod0PuqC2oZA257wvg7P4Dg6+wDFwrjHB+uJcHWVdwlaFL7mHEy0rFmIjnPZ6SHR0fewsWMCY6gl61qFLrjJymR/U3opiIVk6bpS6XtrtG764SvXxiP584yCcO84mjfOJlPvEqn3i92aan2Qpzg0gJBAk9SyTOUeZRczynMZF0PmVYCES0cuUe4pyUnGEY4zBjG1YODdnUUaKpUk4d5nHeZkxNQibIBZh3hZEsqLifLHeS1VGyhhlTK3egdndX485D7n6SQ7kAD9JnJNzm8TY2OqZZwbNst3OYegYQlAa2YJDwoZFjTQkr0eGZNcQ8ab0v0k3JR3qO7D5ena9DVP8HreRWs+psoRX55oxur/U5Gu1Zn8D/eU4oEFVht47LHLtx1K2Sk95syDl19U0FD+t9Btd7KPkspxA1tAQJFwo9zMRVSgUii63tIXW3JtJbqjTJ8JxoSSSGlWJd9spgvNt72eq0Oi0zW+yFVHiteBATEcuupIZrz4cWnLnAZAXCOMu9TVSKKpbVfUr4lTCZITJFmUNVb3mCtohyocLXvdVoUmm5nzDpa/Prvf3/9EMcybrzRX58KxN7lc3lTAMWEcgmlPA48eJSmlgSAGehsLiHde4zkR1//Y5lhwuFk/mzrFy5ZxFNMPHUNpuMQEQ5x4MAmTqMd3jdxHoTTZU2WFeuMZ/Dv1z27WRSIxd3JrDqY9JEkgLu7kB1SbKg5GSuZCI2lNp7ALlvaEGlZerT7gbrucdwqmdEgcMJHg4xGanQN/NEcSGZIXWXp91taiOR5JAceQAOhQ5kby6rKWsgYNSr90AWwo28OFTSQnAfsvEmMrrBCXgnOwE3o7PCsE6dASaQzXIhGJaJ5WzkUOZ1lqAp0DUp6TRUoTAwUScAWQEcLostVDPO1RKxoGebC8zbSA1XcdKzoWrjYWUkR0QgtgRnBgrEXBulDRiCYxoLQIebTaHlk8O3crJUbRVnrMLSyRKQjZB421Uc8rZbGYxrIxQ8kHaJcD7FwvXl0A+dkHp1zpkSQBDCGfDhBIEBQiTTeMttp0QHjIVPGf5zbVueFZw2aQ1A0rOW/ISche4aLnnmOO7B7FtT0qnyplfxMjtvLuatZie7iVBvYLh6eKRjX89sSRWIiCTajhnjMpVW2JRV0WelD6JHp88K30QN6PPrep7Z0vPTp+fqi0mPTM5V15WqqTlXqoGznSUc8QzRV30Z/HHRV7wkvlO6DH5nTgZ2m94KbyDGtkIGPHkqdSa9LaFWb8KyXGOC6EAB/gFe673VlrjBkybuuhv8j0vbNTf7m8yiy+/wf3vzaN0N7UdGYvXN7W9w+Gvu5T728Ffe1332wy88rtVdSscWYFIhvd5fn/YTO8IhYrJDShtZLnQPRseyPy0Pi2diVUyHQ0Q4niBn/IrXaNGP9XXB3J00ECEitDGnDhLvQ66JeZPD+6qAY+CLFc2ET8meCeC/Y/0cD3DfhaQVzSwJk2gVJ1LcW7KTXDA8Rqz0dhfs1gRcUqUwdyGxXlhjD49URA5Vle3HSn35wmJwPEacWy+sCGEGBeIGRCkLzTOMPRWmShUNsCmqgjLE3HrxxRpQMbA3WxosOwE46u7nPPtD4mU2vKtfhaMhHlWpMD+EWHlM1JGXOYAg1bB6wPVx4IE8D69ICQpHMfbAP94WLa6qvELKeqjpziZM11viPbHX2Z+/zuMGGJF13KCpXUR6f7zSi0Niyy9B1aFKzVVxsPOuf7ULChHulbRbZ+jLZmlvgdXmM24cN7RDztoRZDBEstJ2/v54zmytaDa31KWa3JKsj7ivasMuv4fzwBlAd+xRWnGYYiDSwxTEBRwEmPugUGZFNKCC0a1po3Tsr+Yb7mgS3Gi+WUb6ncPXhUMs8/lkZCsRFzFJDc3HdIKYIhkHEcFmyjR2Ef0XHCikhUtHiaWqVhzuKqpXhrMcBcP20Gt3N6Puez/RetBJIOpFmAyRK+Qal6QvaxEWwsQZpgHWN54jysTcJaTL3uW5qhuEMJhCtpbQMi21oOex1hCGOJiBv4Od4x+d8/dn13fm92g3h4oMHnNHGySAoofNDEJ1/B9vwVGn25kvr97+t3p7uIEYW+GcuPOym7easNUJ9+qGVyZWj6NjkIVo6VWDS10AZAX0FT9jR3MPNljZ4qxss/xV9EKr6XPyJVfzhHOvrP9QwrrwXi6q7YipbqAcBYVOwZCi5sD78vjdI2166wIUyU1vBMOWp43cs4zND743QO3DbJkrsFZ5DPyYWKuOTrMS1r7ucfDzw3K1TvDxkFzjxnEZjnNVNDgkbVDh89F1zaG0+sD00VD61R1qf8OorDt4eTRk1ntTXoaFIocuP4BpUOUzRmzdYczjIbbWg+63jIWaM5lHxEKd+9TGWNiepz89suN86jnF/VmB3q59ZKAAZcD1zXP+SlOiSNSdAZCkFxgUMGVrHa5U7Kxzw656kaJGbWqTvlXfNEmdOvVlKS7U+cZXQFBTNW/n9SvbDJMdQoKV0726HfLhfjcF1qdrNkMhncBVdCdcIIfXuH49fd8H+o6YVpBQgsCQMgB1uQEmdoDHCKTlV0RmtcMdK6k88VEz8ikXubRALMwlx8GICd+4xGFKgdpyVSK5d9Di/ldyPLOCtmvzWxGRi51u1zl0XIYlVwf6kgtGvE5hcWIAEx8mCXzNXLEODlfTV0iONJKR554TBs4ly68zITqXmQcdUCqekFfux5xh5j79W3bUbb74YfVczfyJdPaP7BDyP2LEKt3UVU3Aizi9Usn1iJxerePacvqW0786pz9Z3ehjSIbq/fmjCYaazfkDyoVcb5qpWB+wb1uZVf7070FmPTOJUq2XfyyJcm9q+Rqt/ANy/5b5wZb5nwHzV94P2/L/lv/XZqHvmP/XuWv4zGRG3envY4mM+sPfx2H2pufID9i77Uak/Onfgyx6ZnKlzvjg0eRKre3BlnO3nLvl3Bzn1hisPB7n1tmrbDl3y7nfH+ciFtS6okUsqPchnzioXYcz5/0rfrFkT/asKhsdZROCjAfaOWewXAVI0zjbG2DimUeZDz2PmaSKpktMArouioSBEx5O8rnwaCw2i2LWyItsr9sp3sGlQ2W6I1AS7rN5zInIjzZzJhz50f17EpaQkR/VI5TNuRQuYtQp4RIJp4BDk6dRWczTm+hinrprWcxiCHp7T9LJ8L2TRwSnKupaHZ38dAmmaAByl/FAUgZkZdZzK5HRhB7ZiE4RU5XuWS8sN/Ra6BYVzbPyAalyZmF+pEBfyCfbHWFdcANkLLuCdq94oEL7tnCmaKAR4ejvnMfHcTU21OV5zamUmYf7iCCwU2FUCfSCyIPct14YOJCfeMsvNHvMZ8mRc+2aWioKDOpanHuRZNq6jcpCf9ZUVteIW5M/rskXVQXkCkByOYPhUNv6cd3ZmM8G9Hb+IyrykwaGuOKrx9x/vT+Xy8qdTDIrYIMq2LAuc9EIu9yHLJorFtGaEWPuPI3UYWNWhfI/uX9YmZn0EnxK/aM0DVJQdKiSsyxWXwiF9cI8+iP5rUkipF6WoFOSJlIYDwqUPqfA3jB9wix5RK5Pk+cgrSrgyVM4zgGHY5K1HY4FCtMmw0nyFE1TEDnXBZiM03SYPeWq5QFCaUVciFn6PCNu8ixo7PpJIpbyOUlMTFUplzENmLJwj8dhIQNytN8r5xwdlHOSRlKi811KChnjUs0S84U0jwLl0ibLiQtJDzOXBpTxUma5aS/OpxCZFJK3ESReKacwJEPoClrMCQv9GNKgUIH29p/P8REsQPiUC1zIKaUIFzAI8lmfKS4MX0IaaZqOyt8deoelIdY5LYFuhZyFCn0Mx0M8pPkcgt1CfaTQIUL9OCpkyLVAISMOSyNFC1+pjMaLGcJ3/cJnRZiMZ4UMVkxhIkoYVXnDQo64zScZgoFsqpAXkxJ9cvRHIenDbmk0uQ97vYOKzMOj+cz9VxWQh90ye3GfIa+YERe+hVNWGNI5JpEitZj2BqUqik0K6BaTuIBngVAxyQvVCxwiWuRLwYqpmLiwiGhR/gojt5JkTObZMib4j2K6zAIxR0VZMC182NSnpSQMcZKjdAKuzyhNZ45kjs/Hw6kMwJqtd2EEXR/15GxFRpjcqn2IoKGJz2P5QkRm7qqt6O0XtQ3bszbZszzsMjnZHTgojDBDTgxdZzCLIF/oXKoQRCmEwvVVNOh046uvrXw8PgG6ruwDlPc8SuSYZ40D3bhqcb1tT+JNz2wn7ff0EtjvKTkH9hT8pONy2i742+3bv+3sjCLw088nH9/06VBMIUM377DLKKdDcfOrbgV8jORaYrdlfs2uNF/t+pX9v5tdSns4N38S2ypw+4KracfalV9y/UzFaE89+uiA7qu5+Vtle2vJlkJKko2q6e/GO9UHHGLBoIscSAT20CAeLWK6mCOuLvYRgW0FPVKuFFPWEhQMAuqOgX6J2Fpu9HSXWibupYS8vL46Pjlz1N93Z1/lZldDnetRr2cnHzcH2HCsMfm83BlVwXuYLgFc6kmyExRAQoWPGMjf8byvUb788PPZ9dn/XquJZhHQ6fH18VKgj/2rr46UzuFhctvVLg5uI6xMyRgLJ3UE6ZRC7SyYgRI1jVKWG10rZRzQIchPkDJ98suZ3ev0uvZBZ/9gHXyVtTbK2VuyHonG8m2mfUVkkmo2+z+dXVyY+ePy+PqnvdzVWAWXi9B4et6/vDj+zUCfnvV/vv5w6fTP+v3zD+/zBc2Ni84m64wVwht1jl7NO7FcWHop1pV7VscNsOPSypjaCkDznMR1xOgEe8gDNAkHpu6BgqVeeBsr0HM+Y+u06G5NnF3b3et/OPnZ6V9fnR2/SxYL7h6PB4Zes7y8llsljaI7yYjErKUIe6/c2F+V50Yk4kgpuZ6R70YGCaehXB05hFZdfr5MTkcySMkXCBgLPRATT4XbU2tHuVkAHmZIbu4xWkv+Lg3ZbV4XgmqnqqovVtunIUpjXTNz2PwiPdoun2ebNI1EbfDsgI6KaTyYyxtAdxxHhazpdJqPsV0dBZxZO//EuztMHfuiO4aUM8c7hqB3hwkXLFYYu/Pp1BH0TqPhTi4mdlt7OzMaM+fOZbNIqLw7WbkB2tVkWmozEWrMumnJEn/bZD22zFdrx8bExwMsbG3eYJvPa+6rkrmOpkbuFGwgCkR6dQIM0EaGEjubWVZXujnSxMS0CpYSdTpuctShuvVpd/e7MgBYi84a+Pvo7L+0B5QKmzI7oCNKkgNG4+nFCMrmO3DJgc44HiDtiHme6q59BLL3ktj0hKi3JeuR4CKJ1m7J1tq6OTXKSrgVcjcZ4wf1QcuQh7nDIfEG9NbRTtfnh/hUlePJIrFndw4P9tcZ1zJrvv2SI9LbV0fO0YGtitojErf3rBphbQV44Nq9Vu91iyvPGia93ymlu6V0r5TeL6UPSunDUvqolH4p059qJEd22qNG2XZ95I5t5g0s5RhEZnHEJohtRC6NTvDvN0xwQjQT5Gj/5RVTgQQB+m2m3zCLlQ0op35SqJ4LquhNhGp9UENbX6y9lsaRfIJ0aJ7mEF0iyfVxDNXo5kbCh9x/A/79n4YUsGyp2u29trkPGfJsjZBVhO8Ic8Fmjo8niDvykx05kM4YzRYsBBK9XlIcqOJaNMspTG06x2jWbJlQq/DiSLSSJlqyRzlh/dPPZ785Fx9Oji+cd8cnP52/P7vp/9a/Pnt3cxIzhog40b5x+kjcmMcb2csAc7GZ+rGZTqDb7SV+sZJPKGOlwj4uxQeLyWIUHIOrZPA1bMaFDzvoH368/vX46mxe65sg4he5oqDk5iomitU2rYQSF9VWlOigf6XTo4P93nvqVeijV+lZvVL7/XW5nmvEQkxgAPpKJNyc65PQBZU86Z40GugH7c3Z7Uacu3x1e3hQXt3CWFAV2n6NYCUpN5tjqeVc3deAmWA1vP2wLL0KWkyP+YfViKW+omeG4QDOHCgEdMcqDNSik6LEPFYdFyJuwkOpKoCuAqSRpFbGcaXt494lElhcUgFDo1+7onJ3KnMENVk/UVFI/0+M3Vkh53PMheO5yMlDgAzEYlToEyhg6dwk1Y8oDfowjAKUZF0hHlHiIWYyvlh7PByoUbjdq04TEYSFjAu5TU7az5lfFc9Az8mEjpF9DQVipZrLFZu0GyLAw0Hu7Zv31xfv/ExhaerMj+sm9Nr0nO3w8DAHye0ho6Gd+LW0lUprlUVfgCBHjgr9VLsnPMlixCiI3InQYJbGk8FkVKxvIfUu3Y2nttyFOq0aJWS61Jeb9EwdmddGWu29vHpujRg0G2B3hQOGo27X1uNsC2r7lIvm6IwHKOaLBE80Z5evRJApCTLCAsJHQ7GpFCqxIeQMRYxCnpjNt810+GbMBmKU5KqD83YQY+9NJ+HzMWIDlC+qN5iUBDPQjhgdsVSwRUKAtsC5yxk4lHMBJVCgmKcSgCGCpiVIyMdiJEA7B+ZDNkFcgLbS9k9gkAiQg7gEx33QTjjRZI5o4CEC2hDx3uFRUhIHE8SywtaeHv6HEiCvbC4QDOS8N6RshGwzuNzWY7GC/IiJ6wQIjmfOsGINc10IMDVgCI5pLBLd0oHd6x71jvTxZaw6PIwXU1uN1HB9D7MWn0nGCnLb/ygfgEqrATRo6eySz3h7yNuusni0qnf+skL5ua2NzpoeSg4Qt+C9uxo1Ekxff9R+k1PH3SoMEaHE5gISDzIPTOFmhv6VIjtVnMfETXXYfC5nkF7/s1X+3OnOuqL8u70CuT39eBp8yuEQyR3IEl7tG7BsL/iwm0B1kLhAmSb79wOlYqMRb6ZLOzzqqfNPzBLwJpNV4X2Fro27PvLiAHmOgHysb/HV2NykoECCKrHZRNW92jLJbKHkUsH1ZTs8bwBRiJac3DjcYOSX75Q7h/t2+uG27JBcO3ymgwZjb0YYqRnCMT10EBlS5qKw8hJa/+xCAoMcENAO8rUzePOV60xIph8tU3XLVKsNKBELMed4oiRV0krxfmAmLrUZylu5nvvh7OTDuzO7//Hk5Kzf3wgXX5MLEkwQjgWeIEcwdS5UReXJNgFzYKDy0YnNW8TVZUDue8rGOb3Vm9tE5E1AV8TUTr0t39nZz8utAs/Ofl5uFXh29vPH/pU+69FA6i9qoRh7ErAQO1md8qVxG7xgougkmJhzTBh6RweWCuYgK5FPI306FATeYPnh0HLqWGFW2swQMdFSckGjefrQliWuyEydJRyASbF10D1vg2alzViVhmayzY12TEtMaV69Tu4Q2OkwNBo7H7IojrQOMOZwVKFRMTA5e3HJQWrRkzEaKKF4vbmlNKa6YTW/zE0oZmB/UjGe5XheQuEn5nofyR8xFcgzyln5yrwxyszTiwtd0mS/U2sUWY0p8oNxtDL/PplariFPSp/SEGLyr8vLy+KG+gRK4EL+BiSwEkfdu+GnvmziYzmhzBwPBUhUngSoayE/aTA1A57mQFfks7z7qOxEuzWA3E96IiVW689SeoiLGeV0yyvXkEuqKbTScVXZXjBR3X1aIHezbVBuo7QJETSbdDsvO3ZqWL1CuBuwbPFZoAI+C6sdjh0DPgsHshblT1wJDH1hyM9RRmIjKiAbIaWSbXto0ibxEkcKi6RyGkQ9INWSuLVnuqA3akmD3wxOkqt/X5s3l9m9LDGGrLKeegjGrrag02y9gKuLE1N6vfKZ0wxBy2K8a6bVEd4JoLEY0Jh4gCAxpWwMSoVXJKFV47jXWDhpHxuW/pP50dAZ2h1G/if10mAprxeWfqMcVFjKs4OlvVVYqb+J3JP2M2EZbxGW9iVhJd4jLO0vwgqzn6y1xAOEpX0+WExmap8OlvbgYGmfDVbeS0MSUHxBAPsNiHCZidb93iYw3lwYVfZaS9RIivAMbEHhuw6lLbSb3TOt5Nm/vcfcigO4naUGfrsbnr0t12/clyUAWCYiAjxBzHF7Dg6jABKxzlGdrgS4PWAqWYi9ZoonpUp6T89usQB78xsD9frE3DKqe//7CSWcBujTmzcfYhHF4oy41MNk9Pb3a3QrWh+vf3yVZH1680YmN1GVrBD/rvOymzd+tQM4Q3LpTgV1aRPRb7BHXSg2c3imqrgHl2c7O1V7O1m5lXMqli7czJvdytWbUqpXuRtTKQmenqsmxhEcCY5TF2nCQ4xttg17YKHJfSeJSYs8Z4xmtWEM+/2fsmMxCfi1vYTmQsSl0zGwSr2Vy7BSVs8C2qtdXfxDfXOBc7+4KCtkJTet0txSrNwHC2+3XGQvDVe6gZSuJI/K2HePQB5pnLB1yaM6aN59kMeTjYn25Mipeov/4NRUoQpaiZhqPJGvSUu5jjULmrZmOw8ThP2BKao6YNaDU9RmKoy5itYnzZpIO1uSKZJMZZilLdXcM9WAh42/8+QorS44z4MTWj4EznoUUhvWZ00ayXWuaYieNVv6JmVYXXiWB6esynO1lSirNrDLFt85fNcE9Xh4fOeCeayJ77pwIN8zvrHQdhPauYL2nT+PbWNXPsSjmOkbxokHnJl2t0hkZWBKWbgOwhccaLUiRkZlvOTzNJTuXLsKuPiqQh++0vLnqeI6wyihJLEiX3gwJjlYuzcQytt8BguoMUdPrdEjyta6XVQ49JGVKNy+6rwArzrq76sX4OBg/wV4pf4eHBwcLDiy5NzfQH/deWUHUCAGAzukk8wScg4Jve7aLk3l+CcHjEtOJZPTBgOlzbogUWjRlmv3M+Bv34Jeb+4ArsFJZfHALkrtQbq9l62O/K/96gXomMf93gvw5k233e29kg/ydxP1dENUHR7tl1Blcz0Stq8so1bxhsl54LiICX2ghxwBwwgxTEb1quoLkCtQngF1eeMhcB1cVge1qlM3I+G2OQ/aske84OYrGuMnFIvqwe4hzKvQK9TmZa36XxaMzl/f5m/MxMqfru1CO08D1nwFVRc+7rGqbwxn1f5dzVWwTY4vGxqrHB7u2zweTBATtmAxF8lB59wkULmgqhchNccZjyNCqo8ktiKkWoQ8wDHLVuQ8Ho6/UZFTp6d5DIlTo2hpIHBytTQ7o2pQ5/cmxGq/cxWZAJbLhXuu7jvAQpWo2Uyh9Kgip+5M9BFETp2KZ9mBVt2J1ApiZTujPzarNWGzZ8peNefHWw77Gmxxj1V9hxwGQOUpfNW7ezyLf1QOrT93fwQGrT86b8BquXqaHpM3qPV7W3lvBdVjY6CJoHqGgqbeDOMxBE2tJcWcSNiKgK0IeGgMfKsioNYy51FEQJ1xzVYEbEXAo2PgeYuA2KOIcUdDpB7Ma80SNLipUHI3qrHNUyKAxgIkFnPLXd+sJBPKpgqyAi0PdBetDe66fVcEvB5pruBq5/DglQ0HsaTiAE30pV1DoXaIXB8SzMONSLX6+PsJkWrxSHwxqT7AgfCzR3nN/uTJYLy0Y5lDeA528cFjPal8G4isOdR5VERuYMCbi8lfDmA1h8j5mFTbueXJ0WetzvVRKTQvaub0sEuEzUJt67cubmo1W08GnXParm8eJXWahqeDkrL2YfH67XFE+mO6oH9GNIg9HQtxgacmCPofz081wU0hBxp0vctmOxyJGHs5B8R3d8DkySyVtzuvQtCbUNB3zlVf5MpiDiatMv8mCZ+/TB8kMSipdxPtxNdGYP1liphH2MU05s4ACw69EJM637zHOWiQQqdB9tPYio2wvIpv3rSthd55oefJYprDUvfvL3RAGx6HaCMeW8GrVrdzaGMykl9kC0oDWzBI+HAVP0wZVlJ547gBrnQKf5yLJBNCAkfaL3wscIDFrMB3QMUvScHXYcOKGGrG8ayUfSoGtQhST4JVJgVrDf9SR1hHndf5iNCSWjAXLOEPhbnqgt2O7aEooDO7ODArIsoLgrpbmadBAOQrgYi6PJbno/R+5nrcosk8zy9fgLXX8gLtGzz/2kPKc3lpGr05Vdk3e2n8Qh3VYr93YywDMohLHU3qFAp4o3F+U++7VCLczIqKbb9l3BPhcclvdZKzn+FbQQA6BEmZ9fBeISWTChcKSQlUkpAbCMXGobU6nX2b8jxwPgDCiqOtlh4LVh1XyEVEBLOU5yjLFriysF6QrDZf1fobXLLYmF/H6q5oj4uOXA+D/wb7HZ75ICzykNVUg261aSTaHhTQoyNbBQVso3CAPA95eqGs4gTKFeoSQB1fwI4YHaBG8MiNGRYzu3EL5nuaF1CBIxaCp19Y/Z1tGIVtHe+hDWNBHf3szAfU8lSoIhvrALyV7zJhUwNVDVDd6STHDWIupPwy3f9SLBBBdwxHKDPYyr80rSCmnElvwNCPtxBVNOcVPPXWnZwdJ/E0HmkXW3e1Vynu9HeY3xRZqV6v+rXaAc+9+g5P4Fc/YNyA2JetKw6PXttGFq7gYQAs2zlXU3rlwdvjU3r1DdQtpd8LpT/Z88knxBm1QT8elTFq7Cjvny9yjTa7V3n/XfjuWPPbYJzq8+BHZpz7voy0pfYttStqrztdfmR6r7/bc/+UW5wqGl0Fuv9ObNnnWbJP3Wn+Y7NP7Y2VLeVuKVdTbo3Rw6NTbt1Fiy3lfn+UKyBbdGJxDRmAzPXxBDUKmr70bDazrUkGWUBWjFHp6FW4OjnQbVovLHcj5fFr26VBUBqU4uB2bPOdCSjybA8K2GCMzUiKmY405WDiFA/tyuyvgklJLgcQXF//dt8n4Snbl4Zd8bmleUqF2ku5M8ds5RcDFVpqPisLMVhRS0WBQV2Lcy+SzDRoYEWhP2sqq2vErckf1+SLqgKS6zHBgsFwqA0ouO5sEhix/BEV+UkDOoRiqYAJoFjKZeVOJpkVsEEVbFiXuWiEk0CNpWI6bGMFPHPnaaQOG7MqlOuwjxWZSS9B4Txfslv1UeTTte5YKkJiQlDgCAaHQ+zqXheksXqPyQio4P1MgCFlU8g8mZUGJlflVhQZO6XwcxGeUEGg62JLbtmKL0eUC6twfFwW2xdypjyRf66sT+XwdgqCSwpQDpm9op1GuaorCabqO5V/pvPQCo5ZOzu9w9879uGnu53e7x374NNd98a7+71rv/60e+Pt3rT+eTPY/ffBf6xPoDLgHvdjIQJkLeqMMiXS/oLlkzo8DZQ/7vnPfJtG8avr8PXJ5YF9cd6/Pnv/5q7/4eTn/m7NaGHqYaKa1E/KnNMjXNb+Alg+JDz5teNBTEQsk5GmJ5uM9FAP5c9+xOitigpMRoyOi8MZQYaIyDWshTMw0WWBZX70Xy0kgWV+/tQ/Y/2jBNynDRZEK9i1Hb7spbEhbZEwSWO2iz00WRKIVVsaARYHG62Dqt3Uy9Wz7ENbVs9bXuJ/Xs43VfnJXFT7Tq1o6yBYTMr58y7tjf7zq/urPzw4stEEEWELhkcjxJC3UvhWg0AiJyu0ZOF17aME8qvaIKbcbxqz7t3kcAVbiKNuV4FEyBZU2Yg0H1WOmJP4VRJiNj+ixwqmEMV+giGABKgYn7LHEwSMQ/W1xzOzOlIiSTYJPSUBCZrKlI7Z4XnyWdOyKpdbITS3VXruG9GqnVRqh3W60SZqOTd395XZHRQoCUKxGrF5OhD/UmIzcA9EbB5S87yHgi2BbUJABx0bhxF0ayIx7HfTyCXaXnOFQP+ahqZoAKPIwaHHnV+6DkN/xIhX2KX/igYgF1waGEDkgfN3p/1JF2TWoHwdQpIdaMEpb2GuOzPpSXA1VJJM1PuYBdokur3XDpGAStnQxjDMjBZz3WjrEN47NRSWESyMoOujnl7fYXKrsC9o6EJNa74QSkzc3dVRa2qsHfnRnrUU8C2wPsMJtDZY6T0EYXhMxXHnEZwS5NWFBP+B0akUMr+iwakqAEwBkBVYkRhKS+siur5Yrs9oiHTvFIJGyB1Tnc6JmqxYKsx1SVWE0lGA7CxDPWHN0kPM0JDebsK4na6tw/wstKTuvu7Y6DYKKBZ2FA8C7NpD6GIyygdyb44ybV/uDCgVDkMjuameOWOUXSqs4GtdBsgyICkDxmjWLJZYrUk7R6KVVNeSXcgt3n/6+ew35+LDyfGF8+745Kfz92c3/Q8/Xv96fHV28w67jHI6FMkNBvD++uYkZpIQfpFTKSU35wT/iAP0DkYRJqOb/m/967N3LUzwjfyKzUxmm3mW6XZ7thqfmZ185MpYcmnosMh1PDSIRyPtx3IllF1dnoCTD+9AWsFzwZ9580QQVaHgT1HEZpGgIwYjH7vOIKAqtlFyU3dFdBUqA0llphePjq2TrHezmw/npzdnxKUeJqPrWYRAR7/vn1+eBsGVnElQH48I8k6hgO/46CFQ2dyb03LWUx8bqot4Zq6Zx9sxyIGpJXREhV5aBLNm10wWX/gpXeZxo1huUalcxugF6J5HidwXBGiCApPFIPFoeGt3RwM7giOU3P9R+tM4/C/hRqUczoNiTnceqDsP1ZuH6uWgCHaRD7lvkjPEIzqV0/EGhLB4TXPw+shmiNOYuWiNQGMJ7tV0y1Bygid7uYB5TSmQlCpdNtqMa9UFw8SmJ7vOh0tX+Uz5m6QP6krYBsPckN86+0d2CPkfMWLQqxjpBXJTrp+mMEjiW5rolasKzKSWUgzMR5zk1EIjmc1OtPTpI3HTN2fLN30fMuQdqwXfzSVkMESyRzc/mk+5VEN3sxGXNETfZjOfT7ng2iNAPaKEj1IGUQUy3wCb4WVFxtAn/Pu9G73/4DdIuDeqQw8wzhuwSbJpdRDnZs/aTCqFybQNkipAVgXIqngYNJiLxECuyXm2pAD9pG8n6q77Tcg5chF/+uJLWyQMaeAhxleVWtpQwRR+TGFVuyIvL8fPzLxy01dd/1F3XU/s91PxR44YKNX+tClASRQHkQlmNEREOBPIsOLKFclBV0GUE4ekjsekCvVhFVOYebzp64rBO+V7gt2cZf1/4jjTnndXxY8u9ZgYSdhJrQ1wXoImfPVR9fEhhr/BomHRAjugo9WXeUm5p4CDhtoL1d8nj48Qa9UtJqM63e2J8faTHudOMAS/vjtfb9QrDoO+WGpbqJrfs15Ybqj9h1RZUBQV5L+G+JJN+mdf291I5+Clbb7IzhzuqDv4LJaPzXSw/zcAAP//UEsHCNE5ZgjYRgAAUisCAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3ncnV9v2zjWxu/7KYS+19OS5/AckgHmosC7wM7F7BaD3heKRSeaypYryXXST7+QXLSzqYMJVSzKJ7kKAtt5fiJ5/vGQ/r/qt9/f/vuPd2/+9e6q+kfTTmM19dV0247Vtu1SdWq7rtr3U3WdqiFtu7SZUlO1+2q6TdX/11Pd9DfVm8OhqvfN+cXXqeo/peE0tNOU9tWpnW6rfTpVh75rN/fnT236077r62Z8Vb3tUj2matc37fa+Go5dGi99/LYfqu2x66rtcb+Z2n5fd+10/+rFpzSMbb+/ql5KoBhevlg+4epFVf1Stc1V9Ue9b/rdvt6lF1VVVU0aN0N7mM5vebn8bdt2UxqW98w/v1T9WP36a/Wya/fHu/NL0t1hSOP5H/WHtH81U7yaP3V5ZZo2r8fbuulPrw/1OJ76oTm/r2nH+rpLzVW1rbsxfVWV7urdoUubIdVTqjfjbrqdfx3rm7SfZoIhTcdhP/YfhjQe+v2YrLeO1Cm57zl+v6/ezG9cnt4apHSXNg+Qxtv/BYFGBSfwgQ02QdDowAkCB2yCSN6QAhMIBY+9DsQ5wV4HIgbcFok4Jex1oDYQ9hgEG7GtqQQFXwfKBtwnq7MGeh1wcBpDNLgEzpEEhSYQMtEURtCkLj2ZgISiGGJcAiavobQcLY9AlF1ptugmTU+Ub50V8WRh5ZOPpXnjHPnCgUhg5atwaZFElnz1pQWjOfJ99MhPv8DCSoZ8sVSc58qRz54druURZwjY64qwRZ77okZxJ48aKS59zJHPQsCWR0WQA2bvyqvBZcgPjhRYfjRSXP0wR37U4jYysuQH6wqrNzxdPhm2wIaTrPGCO/fJWgucqpNVBTacZMOcqsMuXRvnoAFWPimy2yK2HjjmIUdWgC2PUwccNJALDrhQQuLUB1zLIyEU13iSIT+48voFMuRHR8AVZoo+AMtnQ0ZwYx42TgxuzMMmMvDSZTLIlodJkIuETNBbc0wFtj3nyF86hmHls7HA29LM0JtDzEubLbB8NcCGk8UD57rMaoCbApi9Ke7QVI78qMhP3xnogNmZCFyiZccReHuCnSOnwE/fcSytFThLfgDu52EXInKy6KIFbslgMR451xWyxZ1TzpIfgOv7LOKQKw0iimw4RZE3h1i8Q67zSDTAe1ssMSK7Le+YLaM+fUfOsw1UlPzjoXn6AcAvh4cuELxL44TCwDT/gDOIhR8HR3wx/4JiEHvRHUAxqF6sAUExBHOxFIHEICZeLGZBMQjhj4N6eLskj7SdIzGovVybhmJ4pEQKxfBIOx8UQyD8uRQVfi4tB7DB49ZAl+MlnCwuOKPooxCdRZ9JYsgHdIblUD84A3mCZ1huJwBncFbhx2G5thKdQSK8XXJzoAHOsFwgis7AFn4uLR2C4AxLmyA6A+P7adXLcStM9iBe4fdPzvfZgDMofhanwcJHrd4y/FzyDt+yevXwtaUQLHykEQ3D703HOAdL6AwBvUJGxnn0uURGDbqfJksugO89kGUfwPeAvlyphM1A3qD3/RAbvny5EhID/v468bKfiM2g/EiFDKUiQD5QRI80gqq76KVRRoGNVfQeBzak6BVvNg6+R5qJCL1/jGnpzUVe0Yy/t85s3eUVjTMKBJ+/MeN3ODAzfJ2Vefk6QujV8Nj+FdAoOOvR+xvYOfhuUHZCl3tlYFaDE/h+Vnbeo9cB2Pl4+S4PJIblRgxshvPZenAGtfjjoBH9XCKLJ/QzfSzhkaoSEIMaVfS4W4Px7C58cS0OgzOGxFjo9eAMaQzlMGw3Nzfj9mPbbL5X1O7bqa27v/5xjar+kPYPVKVp83q8rZv+9PpQj+OpH5rHZFbVYeib42Z6P9U3f/mfm3536Np6v0nvt0O9S6d++HD1z9/evnnzle3D7bE9nbqbzx+eH9vu/v0yzd5/nSs/PX3or6fDYezvPt8+v8f9sfuz3ba76+tLbLuqXv2cf4zoLG6oT9tm9/mue4ZreBz7qbv+ONR3RTz4aTh+e+5TGqe8b49XG4V9KGO9rpCv1kos5NznGvkUHAE/fTashXyB6ir5lgX56bNYZPnizYXw/2fJb1KXMuTPhjNYWPmL4fS48ik4LqRKvUb+bDgjsHzLCjz3mYWQ5Ys3BXndjNsWz1azkLsuc7WrtVqSw8rSPttL0DkzG0tfUIyfp90WFSHnaWchWO3iTUEO9qbPio6tqCsrvMwEYI1BbUkhTi5AUPK+JLPzZ/2pzkKgoNarL2gMshGYJFpX0jSaEZ5uiOYkS1xJBarD/XTb77MGgYScCSUNwhoIDYGNKShlXAHBlgwbX1DaPhxz/DIZK2pDQTH0rP9vt0uv62ZIH4/zy7+hOLIavZaDMt0fvsjImlNOTfTRFhTnrQaxwXEp30TwQyDOsVBBq3w1iFCMl1o84EDUKvnnAOINaSlfd/FjICGSFFRJ+gaSWc5bzG+Riz0TZDG/z2FEFvNbULi7GmQxv0Uu9kyQxfw+B5DF/BYZouSCzOa3SKv19HTEGjEm+iJD36dTOIlBNRRprzIozn4QnmJxgkVmhTkUswfkgqrP6ygW91dkQJJDsfi+Il1GDsXi+ODHYvZ6JTU+fKNYVcQ6G92S9vh+GGi2v67I1bISaDHFRQZaK4FmqyxFllJWAi0GusjAZSXQbKvjcxqh2Wx7TLP9X9s/TiPFSxtxP+eo1o+g+CiWwwW7BofijDh2oaBG7LUg52igyOQlE2SJAoqMNjNBFu//HKbW4vXxTTC0t/8+I4vPYUQW715Qcfhv5T+SuUThkjqFVmKotWoLCh7XYlBwriBXuBaDTVH99qsxLJdUp1+NUVYuvxpDPCEt8QfB4WxokdbEwwDEqkVydw/kz4YVaQ08kD8bVCRL9FC+5ZL6R7Pll5UOZcsXX8rBw9PN3dhMN9Pu0j0WoHd0/CcAAP//UEsHCLWjn7yMCAAAmc8AAFBLAQIUABQACAAIAAAAAADROWYI2EYAAFIrAgAOAAAAAAAAAAAAAAAAAAAAAABkZWZhdWx0LnBvbGljeVBLAQIUABQACAAIAAAAAAC1o5+8jAgAAJnPAAANAAAAAAAAAAAAAAAAABRHAABjdXN0b20ucG9saWN5UEsFBgAAAAACAAIAdwAAANtPAAAAAA==" + "size": 38860, + "text": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljecx9Sa8kt9Xl3r8ioV4fKTiTArwQ0A20F+42DO+FGBhDxjwPv/5DZsmQ7O+9zxVZkWTVqvCQbziH5L2X5w78X7e//PVv///v//jl//3j59v/SYppvE3tbcqL8ZYWlb2tRVXdmna6RfY22LSy8WSTW9Hcptze/nc4hUmb3X7pulvYJF8+HNlbu9hhHYppss1tLab81tj11rVVEe9ffmrSrk3Vhsn44+1vlQ1He6vbpEj32zBXdvzox6ftcEvnqrqlcxNPRduEVTHtP/5pscNYtM3Ptx+E5pT+8KfnT/j5T7fb7YZbkfx8+3vYJG3dhLV9fvF2S+wYD0U3ffm2H377alpUkx1++84v392Otz//+fZDVTTz9s+PTWH2h89EYVzaJvn18Ut/ffwyEUzIaICGt799yG7dYMcvf2Pb2ebHBwE/Pv6c5w+3U/zTmIdJu/7UheO4tkPyz1+VFGMYVTb5+ZaG1Wj/AMluYd1VNh5sONkwHuspf/x3DDPbTI+/ZbDTPDRjWw527NpmtEQRTiWXlH9Ewl/32y+Pb33SfykfvI4RbAOWav2AD7vZ+N/4GPN3wZdGOod/zAxqL8DWwDd8pVngGv6WUVRzjTsNfcPX0nDX8IexRhrW6NLOO3zNtGv4c7Vhae84SuYbvqEqoNIt/KZoIcyKotOe4QuqlfOzL44JdzEj7Gvf8DkXzs9+qVdEQwZBKt/wReDe8tvZIutHCLN4h88ldX32zXqgziYcpW/LLyTR1PXqp0WBfSygotk3fE2Mc8eX5xVMU0JXo3f40v3ZH2KOSDCw8e4ZvmSB+6hvZQn6ToPtkW/4nATOz368NOjHFUXU+IXPNJdGm8At/GVPQJcIU1P6hc85FVq6hj/fN4zlBiaNZ/iCBiZwDf+eEtiOoirU5fATW9mvhk8FNSKgzC38uYqRNwTxIfzCZ1RJ7VztuUcWmipMvefVZ0Iy7tzy22OFGmqs8fVqT2anr8ROOBFCUeIWe8cbFPcah70+4j2DnSrjPN7rih5RHqKWk1fsgmlKhVvsQ9NCsBp1er3GdQa7FMx5oButdzRBjXm63tqfwi6V+yteSdEPCdjd755XRjlf9yM5MNsE1Xx9TucMdh+a9pQSRFkPFV1/uTuBXRDqPrxhwoKaFX3u1ccJphh3beeL/Y487JEsfrHzgDqP64Ysxdoq8PR6PecMdsGI8/M+Tj3mdYNNE7/YZSCd7/kgQl4GULnX2EYGwr2KFRwViqpFNl+fvziDnQnq3M5blYFNBHnn1dZJIdzfYfvWYucUeX994uYEdsU9ZG3GIgbpNkjjdd01p9I5dlaW4EONfs58YjeBcJ+uipTBFmeQzOueN0a6r1JYbIY+5aiywS92TbhztbZssN9T5NKnXkcDRtz7uHGscVQ1lj73iZ0ESjg/730UgvQ15rtP3YYSQtxrlXO+opx7zJP1il1K9z4unRIkzCLafWpWlGjBnNs60xBUJMPMr0/LnsFuHjGtY+y8r1GUE9LOp4+jVHqIbRI1gRcck918YmdEuY/n6yTEHEbYWp86LeWUCOd2nsULhrUDna5PxZ7BLrmHmHaJMKYl7g3xil1z9xp1VQS4iwlB7lO3oYJLpV3b+bzqoJMBQeFTr6NCa/fl1tvKMa8ade3VzmvuodyUZSuWckOkri83PYHdcOo+D7ttMZhoEXa7V+xKu8fO8jvopLEn13dYfD12FtBAOI/nj0mjTQLsm0+tkgVcBM7j+XGpQEeOe8K9YjfMva3b4xjVEkC2PnORjAYe7HxCMyTBgvUNLUVnsAsPOSk1GoxpD1p6tXXUR63RFFGw4g5rferzjPpooR3TO7Jyx9D69O+MPhtIXWM/BMplByt91h4wFhD3tYV0aVCREVHgdd2Zj5qTJm7BKUNeeI1t2LNx0jH2SigkeoZNfOZhGXvW2zjGzscDcawwez7vQrnX61qToZtK0MOnbsOYDNzXlG5ZgDkw2Aqf+jxjKnA/HyZtM+iSID0Kr9iNdL/u63GgKTSE9LrneeDhDlsnDYI8x7z61KgZD4z7XCRrNwTSYuOxV+zMuK89mPcFoSmhK595GcY55dL1uouIowwWDIfPfBzjnBnnnaGrDBDqBP3gNbbhXLuvnz/GAbvhkDP1il0b95pVMEnMsYW11w9AO4PdEPe1xGmxYp0XzNbrXUYEyr1e1+gKQ7Qj4l73vKDE/dC/hXDkS4bAa88IE1S7z7+PeYpoHkAKv9gFd6/TEj2AKoZQetVthJDufRzZR0ypxsz8nnfpoeaE2DuqQ4IVXrVKobh7fd5ogk21KI6P5t26w24C9/U22igIeQefveYihTEeYhvRobYNtsNnrRFTnDHCHK/7OlFoHmHepUfsnHLFiKZusVNp0MkdxRt6heYu+fr5Tr+NOvkQ/j/sOL2LgGVbYIIYS3198cVJAhh9/HNNwDCFiPQCPqfeCRDEww7oW4q+aCDz6691JwnglH2i5LyTgLBtMTYzJnF9nHuWAEE+cfvvJGAZS9h1x6ivd35nCZDyE+3+nQS0fICcOuzl9arOWQJ08ImQ+04CFAmwHRnC/fqS25MEiMB8ksF4JwHTfUARcWT79b2jZwkQ1MMO2G0HO++YJu+BkJDKgxfoRg7JRkTH9VmsswR82jz9TgLKcEMfZ+hn70ZQks8yuO8kgHKBvZmwxdfrHmcJ+DSd904CSC2RZAGq/vpht2cJ+LTf6J0EsC0FDzh6e3gnQFMPR8DKCn1LsFPrnQAjPRyB0giUFcd9u76n/CQBz1GIzm+DdlQY8gXN4D0Q0vSzu8D79KBxr9BSgyDpvcPngXS//mpMkJAB03j9MI2TBBhOPBwAoxJ0JsFGrs/4nSNABFRp9wTUWYVtyhBP17flnCTgORXUOQGhSdEagXDyLYgJqqgHAoZ7jaiYEfW+jeCX2ajOCWjaAbsIwcbr3/w4SQAn0sMO4GmLrOgh0uvfejtLABcedkCsDHSSoayu778/S4AwHrxAyjvQ9Y588J0WEfwRBzsnIGpn5EsNyq+fqHaSgOeDd84JqFKCUWfY0+tLm88SwIiHI1AOG+I2QHdcXwN0lgAlPOyAuc9wBBM08+4Gn31MzgkoiwRLWSK9+xbEhGQ+IsGcN9jnHrT2nRUQUn52G3yfGtDGC1YrkAnfirBQ0kdxRH3kyJIQMfVdHfJlarp7AqYMI0mx7b7lECm96EEyLCG7FklyfXHYSQI08XEXFEME3ht0wrcaoAjzcQQitWLLMrSxbzVAcS9OkFQUqs9Rp74lcSWVj5xArRT6bEbMfasBWhMfgXBKI/TJCJb6doMmYD5qBLecI14oYu9HwJjHRcA5AelmUTQxzHF9bfxZArSPtEgXMVDZgAvPl2EacOXjCOTZgKbZoY7rp1qcJEAGPiLBdcmQR3fI1vcOIJRrD7UB5l6AdhRL4LlAihKmtIfqkKSdwYM74u76hv+TBEgvdcJ9YsDMCEE8l8lSqgIfpfKZuSPPU6jQc3kMZQH77OWBdxKwRxlik4Ca69/LPEmAnyLJfMwwtTkK4TkrQNmzQMo5AVOxw4gYdem5TphK9mla5H2SqBpWZMOGSnlulqFKU+MhEC7JgGkJUUjrmQAtJf8kDnzf+vOohA1D3IXnGIAFRPooke1LiqxsIIhnA8gCKn3khfeowtRphKFnF8gC7qVllm0JlrBGnni+CDFKqY9OkaFlOISEoJ7FEEafDZOOTSALd5jFgr3hXZJz8JmnAkkpQfsd2+rZBTJG+Gcm8H3rb9oUNoqxd57LIhijXpSgSGrsvcHGPGeEGPNTIGsXg2Fr0NbXT/s8SQDzkhPMkhFBHWOsvFsAST7LB7zPAgxrChGmuIe+g2D2eVnMO9f/oAsawZEZz/kgxonyUR671CEOsSIqPFeGMc69NMrtoQHXBSTxbQK5oJ9ViL/PAlSmhogtMnP9nO+z8L30CZbRhr3KUGrPdUGMK+VDCB1sjIX1sMSzDsi4Mp8NQH4nAdMgkJkO/O65ReK3ScDuCehGmGPB0nkujv1tRKZzAoIhxsgnJIHnHhEmJPGxA2w5gG136N23ECKk8TE5qpMtJqPReL8ICUV9DE5qZot1K7Az33GA0J9mA95JwGoEEpYjZp7LYpgMpPRwFZarBtsa3N/w+sVJAnSgGA9cE5DHA1i3QxaeawJ4EFAREOc2IAgSlGmDdL3+LceTBFBptHsCYjuD5RL9fGGJfBpn2Zj2RRJ/BKdoiqkIqz9+8VJIaT0gaQPo5qPYru1s82+Q7BT/NOZh0q4/deE4ru2Q/E8Yb7duaJM5nn791z8Et7itu6oIm9j+mg5hbdd2KH/+v3/52y+//IGcMp+Lda2yo/RBjmhLHIlCln4kfngnp95/fZ6SX/+w0R3JAq1NUIYa437h7Iw2mrpubLcj97HY6bBjOBpk1UcT0b0vdl/di7Soo+hjcupbeP0qL2aDKSJMw0clAN9OyRdkQ7imSX1slRcDOBY11nuHYftoFNq3Y/zGZR/Hdqqifgg3d8tOsjtW1kL0H6n+r1IyDfMfV32y4xQ/PP1XO31JjGBKf8TD+wydHiokrMC2X/jW3wvYJSHCOJ4R1s4Ky5YgNRfGe69gp5pTx+vejxnskWHaLyz+eQU7C5gUbrGHZITeW3TjhRedl7ATJhyv+xKHWJYKtbow4fcSdiaIY+zFeEd5LLDRhVNBX8IuVPDh9f592Fm2o7Q5ou7i857Yyp7A/vBxmrjFnu09pm7Bslwobb2A/enjlFvsi64wRT2aK6vcX8FONWeOc7ssn1D3NfbowsTWK9gfPs64xR5vGhsZsIwXtnq/hJ0w6fi8RzZG3MRYq4vt/GnsTFDH2LO9RXjfQeSF085ewi5U4DiuK7IIDa1Q5xd29z+wn3j86ouDc/zome03FMWOdbiwl+cscEmIdB3VLK1FbSvo/cIC1tPAH67N8VY/lh1HPqKOLg7jTwFnAVOO7+xhcUeXH1DFxbb9HHDi/NK6bQL3UmFRF5YonAfOBHUMvCs2hLRH2/k0bg935jiEy+yIvhXg3cUhXNaeurASIbn7S1s4TijGBNN04ci+F9AzabQkrsN3UymEtUJ+5VOer6DXkirl2shPa4CdWpj1wnq0B/p7uISn8FMtiZLK8erHyY546dD2Fzu50/gZFYZw17t/mnLcOcUSXxzIP/B/vdknRBjBXWclqtyiHA9sV9YiPsB3+5S3zanlp4LyQLtefsVy7G0ATi/szH6VAak1CwLHylWb92g3i3t08QF4gQFGaMAC5Vi3NISiminoeGEp0oOBYT4T+dGACEm042utiDUeF53fX9G+EPx/rESLwmSw/fz4+O88cEqkUdIxD/cdug+xrBcLuNPe/Ybg1FHgMjDKEMcXoGhtcFQKSVB+JywQzZnrx+2jewnd1pDzxYrHyyxwzgR1bBZ3W6HRCdL84nTOyywIaszHtcrvY6FPQ3R5imn7XvaCJJIqxyyoI0VdHxDy4hvyyyyogErtOFTaaIec9xi3C595+zYWtKHCcQbgvgnsaYl2vLiM63cWTiaAnp7SsXWc2wFVeuA+XFzQ9TILT0/peC+U1QZ+1LDZhU8dfBMLT0/p+BI5HjOmssa2vC12PMnC01M6to42W1AuB3JzcYLsZRaentIxC8m0INlKsCsH/XwTC09P6TiCvqsVRdphuHLYybex8PCUjn1EubRoVYouuzid9DsLXy8vkEAEgVGOL5SUVxhGgyR4m2n8egq4MFpK7dg7rOuCWFGs9GJ56SUKvgRLjilohxiZjpHWF1cKvUbBM1JyrC/tC8e0LmjG7+EgPMMk5jjNGsUxsr7BdHWi8TUKnjGS43h5CTfEuUFhvouD8AyQHIcGRxmj7Bukw9sCpDMUPKMjx7ugHHrENkGRvO3ueIoCbajrulkZdchUiiW7cA7Ov1LwUvLhi390XXeUjxs2UoEdF3dMfDMbD1fJHVuIvdpwkBb3+9tkthfZeHpNx5eIuCqRVg2U+N7YeDhQ4ViIDjMFzRWy+m0xxItsPH2p47iasx7BfQH57uzGw60ax3tjWDTmqUY8vk2MfJUNbahy7GGngmMoZwSl9cbGv9R2cGmo+bi+552DZrpDYVgixOXbgq1zPCgjCNMfepF38hBPMbp5QzW/7epxigceCM64dtyXu0iOvk4xhRcOW/kWFr7Em67FiGDE1BbY97eVeZxk4RlnOr6GccZRzjmy4G0i9UkWnvGl4xPR2xGW3TESf/HlfxdmhGNvadYRfVuhf1/a5iQLPuJJ2w7YmhR1+LaSn5MsPONIx3tBTx2SOkOrvxe78IwfXScyRYS2amHjiycZ/EfsnygRRjDX9fGFKLClB9btwrc7v4EDSYgkjm9VZTgiiySK+mL/8CoHVHPuOF4i8YolO2DDi5tkXuWABc4bv49gQp8kqMqLtYaXOSDMdTa7TAvYNgOvL749vMyBez0ySzsMy4E0vrjM52UOhKKObaIMJ6y2hdwvLgr+jxz8263p4RMd24H+KBHqHEV5cSL7JPanL3QcE233BPm8oIitX+wPH+j43IerwjR3GPcLX7J/BfvD9zm2++neoTAl4uXiLsHT2Alz3R0XqBlFX6K2F6vqp7G710Y43xHZAlF/cX/saexCuZ7uNNoGVVKiWS68+6zZNiZTNtUfj+B983zi4z4hL1qM20cm7NVhvL9jfGk+8X8FAAD//1BLBwhbQCtOkhMAAH0QAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA4AAABkZWZhdWx0LnBvbGljeey9e3fbuNU3+v/zKVCdrnkcv4FulmU750l7XNvTyTu5eMVO+3aN83JBJCTCIgEaACUrTeeznwWApEgJlERLtuyMpquxCAIgyH3BZe/92/8PePfh8tPn69OP12/AhUekAJIB6RMB+iTAYEyCAFAmQQ8DjvsBdiX2AKFA+hicI4k8NgCnUQQQ9UzlHgZshPmYEykxBWMifUDxGEQsIO7E9OqxMQ0Y8kQdXAYYCQxC5pH+BPA4wMLWfZ9x0I+DAPRj6krCKAqInNT/a4S5IIy+Aa36YavehNw9+C/dyZv/AgAACIj3BqCxcNyAOLFAA6zLAfCwcDmJpG587WNw+s8rcPb+HYglUV2DMRIA32M3lthL2vRJIDFPujbdMwHevgW1gND4vpaUSzTI1ekhd4ip56hROWo0Hu7DZrMJPXqbVML3EcfCvId6ZF19pDpFIdado7FIu/aIQL0Ae29AHwUifZeIMy92pVN8MAQSuZK4b65Pm81mG5qXIYzma2DXp+Quxm+uW93DFnQDFnsQeSGhREiOVHXosjBE1Ms1M7R808NCwojrp+D529LnGEnoYYnd7LlTipDQEzZinFJNi3cfzq80EVwUBNgDI4IAAhTLMePDlEobJcx4MIJj0YNR9mHnCKM+hWLP32rjAZa116DmxjxQf4NxBFO2rn0FP/1kGiA+0Pz82++1/Vb3pN4+7NSTv40ASSxkI8QSQQ9J1CAobAjsxpzICXQ59jCVBAWisV97DfIdHDXr7cZ+I1flr8R7u1/7ujabdHPPhch1sRAl7HJ42IYx1cPFXn60G+WTbzHHCzlFVdgCr7jtATxoxfA2Gj4JrygmMTyiP7OcNBiKpd9uSDbE9K8oIjBRhT8iG7gsjEiAuUOo4zIqEaGYWzkiq1rQ34BQQTwMWB8gMNvBZhgC+z6cRD14EgUWhtib4YhbNEKuZokA0YH6MXD1dc91a1/B9++z88CKrfYs08eA1aws1otJ4CWahcd0v/b11StVMfs+deKBP72t6dYRZ4oJ6oi6WEjGhXlIhKQP/vQW1Bqx4I0eoQ2XBCQOIRpgKteftQ6hh/uYCgzxCInyuavZPoKs14+FiyT2oBqbgIxDQvuMh2hm1lubHz0cBWziRJyMlvGjqkMCPMDe9MMaVaV6f6SlxW38rUwrTXlDka1mIfhcaTJSB0nwP6Al8uzgosiJMA/VWs8DP4Gz00vn6l9Xzun5h3cfwV9Ac20O6MDsC0IsXBTMErOwhGm1dKUIQ8mgz4RckaxgMV8Yqg/caNFU9Pezyy1MRJx1IL+NYWt0V0bytSaidOKpDxgbBLhOqMScoqChFG0s8Yd0Yhq1GoQKqRREQ2A+Ii5WMweLqRQND/dRHEgzW80sZpIZbo3+frj5TnGZM2qVb1hya+RRC3B8F2MhNeMRIeINa5VgeAtvaQ8Ofdu6WI21rvcNTsTZiHiYZ7sWxVH6PhqLOjFLfmfUVvc1hfKqZKqY1HaTUPDnfxc+g5MwgfjPHLUlj9ORIf0pC28ssJxeqv/UQ2a+cdZ5oWKf4MB7Mz/CQiUURZgWB2H+kzJ4A1rN7L/nx46G2SLkDtUnCBFFAxxiKpcusy5NEzBtonnPsLI5H3isdVZ45MFR4MODSam+m65MjA7L1iYokmq9My3wouGgUMCjsHAdUyQlph72YBwNOPJw4TbV1XNPiEi0Py0JmIuCfPm04iQ2DxJmXMPsZkB6DUFR5Jl/jVaen6HX1njLzwOahyfp1h+q/yf0pwOo54CIY5nRdplaA6sw4pR7HX0cRLDnuH7IPBsLXmEqiCQjnGumD5cEGGOeHCgR7IFYEDpQkzCjUE0nHuIekIwFG2VLcRLCPruDd3e2ldd3mLXcK+iIPf1+MxwLag0s3YbwkcfGmjHU5SC5Bl9fFbqYVaG6m0SF/pZy2IhE44zFiiXJ1YDP3s+V6IV9yoPelFcz/rbc1PLF3KG9wewd/cwBZ3GEvJnSWGBuLQyZpdDDQWEIgwgJMS4Oy/XRABebur6lXlIEvpZ9cNtuKP30L13vZO9sNoVTPvWwkITqZXg9ZJ7eSORuq6K1tdPqE2CzeQCZyFf34jAidDCvd9QKMyCKZkuVDhvTF6B0pNeGBy0XBrRTUemwMd0pnZ3SeeZKJ8+oea0Tm1VQ7q4q+f4dlNQfzNUfEO/VC1dSAaHDF6CjgoBA9xuHd51JJR2lXq+iiip08P07mHaRZ4aVu9tpvJ3Ge0qN98L1EYswdUbtF6CS0lPyg95JFZWkXrDeD9BAgJ/A3t4n5+zzxen190/O5/N/fv7+yfnn508f3//r+yfn+vOXj2evXoG/gCb46aeiWjOdVFJrOz2000NPqYcqmoT+Ak6a4oXrLo5zx7rPWXU1J7dwwCPohvdVVNeeecGKiqfQxffvIN/JbkW102TPXpO9cK0U0xeyx7trHkP3JIBcRJW0knnBilppp0R2SmSnRFZXIpKE2Oqy8syUyHB0ApvtLhz51Sxo5gV3SmSnRHZKZDNKhEjiosAZE+qxsXC0SsgUik2ToKwRSBolwSNIgJl25boiabmitkjPcO4HXYu2GHMis43KiLjYybmD3Jzropv9m+SRN2IiJA4P2jf7m/CdXtln9aALQyTuYiWbVejDqIOkc8t6jt6GE0bL3SROKYgpiqXPOPmGPXDLeposyPOwUuK6OyBcH3txMB3EZlQ6G/SgG0TQZ7KSSrc6Rfxea4wQb4iIsaChRt3YT+RVqXZVUN+fK5KoN1cgVK2KM0CmhmRRCyaPAJuwli8ZxWMqw01MTNWV6vqitooT0wFMuBt7UCIxhIzDW9abl7bljktV5LHEg2Cr8jimQ0gDAmmv2j7N6i/wkuTxSQzJO/n9ceS37OBlq+IbuiM4OWTw2+CwkvjaDlk2LL2FB65gen/w46tu3Sooip0Y/3BizCL8/GbhmAjotw5gp2XzYF/R/FxifV7d6PxgCXzi6XsnlT+cVJZbW7cql/eoBXvdEaRtWwRvVdvqhuWr8MiVbLEPHsBuit0J8+rCXG6k3Kowh+0DeNc7gSfiuJIw202SD5al3WS5k6815avUfrdV+eqE95B2GQzDXjX5slrrdvK1k6/Hl6/hsXBigbkjDJ9ahSql6yx+DEDg17iHOcUSC6C6AcVuNiNXqV0rkDa7lg5vzr9CPX2nKaLHg0i18LOpl9YeBWqQ5ZYmjfJmKgNTeaqONvqN2t43OJxISLNNxGq6p8ysFJBewwxYZEomTuy5ufJK6+LH1AHVZDff8gGma/DHMdcve88CztEwZF5tOjM82OpXTU7zKvUARpgLIiSmBXiRAjxE5wj2GJNKlQZswChEsWRCIi6tCrmKHiizcD2ZHjjpBDDwPYgPDirqAbs5a6cHdnpgE3rgSayNL1VvlJ4WPJnaiN0ePPzWgzy04a9WNqOtrDUKva1mI1u5751G2mmkEo30wvVFqQnvyfTFYXcCR6IHv93FVfRFmb1OR4d+/+ScXl5efDxfy4C3Uw879fAHVw8LbIlPpiAOSAt+izw4castKEoNhyvLdaG/Va2CK/e+0xo7rfFjao0FRssn0xrt5ggOvB5s+qiS1ii1UO7keifXf3S5LjeWPplc9yd38P4whuGoVU2uyyyjO7neyfUfT64pG1PHCwKH4wERkk+cIZ4sjEL8ZxJ6+KtqCs7fvxdAfXd1E6SdgCGePHZI4m3LFl0jsKyno6irV8lk/PfaL79e/Mt5/+ns9L3z4fTsl3cfL26u/nV1ffHh5izmHFN5xqjkLLjC8ib5eXNlOgYfNAQ3v9FvrV56E9b6VUMYD4860Ce3yB1OCQz7ARuvSGUqxJhI13dcRvuKuOXm5bQqCNEE+GiEQQ9jOg1SHxPps1iC1CEmnyZiM4o9vPNhMGCwx6tt8xZAPKcvVVfvX9DgDzAobk/jv1SnlJWU2mEXmuR0Spv5mEpidApMvvUarF5iQd0+q4/aPeh6B9ANeEVWLwUWXsLqj2sz24nGyxKNst359iVjPHZhl0goj0glySgHOpoVjEK7FcyES8XrhfNCmQFo+7yAD33IaAz7R5UCRuZwRGfxQ7WlqDJ+6BIFu1N/L4vlS6B0t8/16TaHnFSCoNwO11fFMd1JysuSlHLz3/YFRZA+9E4iOP42qCIoC7Faly0WlhsAl4rNC+eIctPO9jmiE8bQa9/D/sSWNLiqyeeHp2TpYf72KXknTyA5OYF3J9WQdBaBFf4olIxQmJzTmublZ3qXpx+2R8KDjoQ+ceGxSyuRsCyKRJEwQmHdM0aaaYEm5+vUkpPmd2/MWHJmywPS63bKahfvrHds+NJ5q+QQbau8FfVj6I18iA/HFXnLHpmwPd564oO6l82MZSuPrfLi/RGBB51b2OKjSrxY4mWyPVasfDK23dH+MNN32QHcVrl6fMTguHMMbw8qpT58Aqfs7bHcD7RkLN/Xb5frOIH+/QHs0GoRh6Wevttklll1uvzsYMsD/mG4u/yMYqvcfdJswpa4hfe+qMTdpR6pO2bZBLOUHoNslVmi+yHstGPYH1R0Xy5zc3wmzLKzADxr6XCJ02o5h06WpaBHKOIEi/JTprM0N4GB+QdpixLZ2aiUHI0IHB9y6LeqQfaWHTIpsiW0FLnfKaVzl7O3p2SfK8xX7TEmn5U38XalYu7lf2QH46ISfOJTxFVdTh+YNWOh4ig5Qtym4rgnMRz4d7DzrZqfUdkJ4k5x7BTHCsPfhOJ45ifE21M0ZZu+beqZk0kIW8cjeFhRz5Ts+J5QzRTGs9pp8BOObqcEbS//x1CCL1hFlZ31b1NF9SMEeXcA2zisoqI2eNRfctL/hOpkp00sL7/TJi9Am5T4MW9ToaQezJOjSoF8O4WycUnaKZQHDH9dhfIQv/gXrITKTcnb1EEnUQzD6ADe42rmk1JL8rZ0x6qG4ycc327vZXv5P4Zye8GKqtwrYJuKSogIdo4QjNrNSoqq1Clgpwh2imCF4f+RFUGpx8c2FcFdM4biOITHkVdNEZQ5fOwUwU4RrDD8H10RZPhWPhlh4ShSaGyolfGuMmwr3YGSdjwFvnoKvCtsUwibxrtSLxcQITfhsbQqRVutduq1lL7KikQVqI+V+im48tmIeJVUnFLxkal1f2iDJaxKLT39LEInQ338N8bkExLrsNuGJIwQ4WkDi1PZAzOHCR8HgeMTpS0njocDLO0yeaUqgl9MRQ0weV6ovJmp2Otz2JucQHFvS26ZX3nrtGCKjLV6Dwk/fQWlN+vfZq77pFgwe133ZnvIXWp0Quua//dagycTsVbxPguxuijgGbosDLO5p5ab83Kz4tOxUvOoCQn1lNgyDjkO2QgFj8RMYhKWYxGLSdhTPWnjNugzbhoDP8dgyVEdkIgPsCR0ABoeHjVoHASbZbqwD1HbhcyznZrrzHSairpfqs8TdSHiA5Ewwn59Pxm5mdbTcf6gpJU8pi7aqqYYHd7D46ADva7tmHE9i0bOivG0asZiPcmUzAIdMx2p+oopcWo/FOtFnOkF5NJlh+a+pLbmvpWXHVXYL1109Gm7lP1m6Who19hPBpcnaGOfu3kWyKEJzbJukWM1y65N6JUc3R+GgftQogvfmWYAVjuGBX7wV1e/TANEVNWnODXwpQvbR4ewOZYWDig9Nch5F2e6BdRmXlUph5midg18TXwQ7Q70WkvUhfCLqqJQNEJmQ5mVrgnM+iSM1zw5hsh1WUwlDBElURygJ+C1EtfprfDa0d0B7CIEI1IJmSznYPpQXrP7XG+G1565O+2z5c2yVfVWWPOk1YfR5A4ediohP1k2cpU4s8QE80DGLAxtNY/bBz7pqYM3t8KgZb6WW2FQHrnwljTht/62ktxZdhOVeL3Ep2rHgYs5sMQ/bytMmG4X7sY7JrStOp/aaevZMm65T9dW+FYexvDOu4fdw0o+Enm/qYexW6k32AMZrjC8VT27HvisP4SGLffp2QqjTpoTeDAIYLdTKRzdalGoxKil3kA75lnAPKV+IFthHr+H4LCPYeu+UlKQvP/HA5mnzINkxzwp8wSOi7k0R77YkSiMMCd0sOgw8D3INZllINNDAiSzUS6aHBI4uaewfVTpQHAh7KoQQUO9zDQ/nsaOGZJn5f3ztG4vM8eUlqPJ2ZPL/1r4hbLscnoQceQhiaGLYJ6JarYubF5GG+3sh6Od1Wb1p99BjcfU3X86g9Xh4QEUcW+EuYSSx0JC17h3rIrWs0gvlR4cb0kvDSccikEXxuKkol4qh+zd6aUtIkTs9Ni2af0H0GPlu7stqbFxtw/HEkPSrYZQugDBcYkWK/SzmlVghV7/iLqx9E2rqRmwXNVsvMM/BC3s+msTu8hnoMnKrVFb0mStkxaUkxbE2c5kJU1WZgxYfva/CNB7ZW21W308FwleTXpfvMyW2u+2JLaZDU92d2K7E9tHEltgt4fa727cLvoMRH+RBXRLks8OJew1j+Fxt1pOtIXJESpuPlYyWK7Q7x9x+7HTgc+FEqvpwBetvxYZxrekv04mLej2ejBqVjs6WZj+oqBndnplp1e2SYk/gl5Z4DOxJb2CJiPo32EYWKN1HwCcsdMr+r+dXnkulPhx9ErsMcyFY+pk6BsL3GhMg6RTg72xtZRM6dGLWzHTp821JtEy5vWmG6SkoO6tnXb4DyYkD2f+Dow4GZEADzDEwkVzvmPF8NNjiHqxkpQAj0yGpUQGYIhdH1EiwrWFocx34zkKQ3BcyXxg9ed4gDA8iYvDD8RUpbvB58hT4aRXiacs+8NVWKrQyXLL+ipdbtL19dnxUKkJ81nyUMiW8NCGwpps9pGVWGWLqRB3E/ND+H+BTeA5SsBhtWgpu51gFU6e1aNLjQQznf7hFOmCw9nnyEi9+w3kK16FkX5sopefnD1HoovmUTWi207TKhJ9exPidpFjXyKXa4RKr5hKu/QY5xQIzEfE3SJfd44F7HQpHHTGlfi6LC5Kr3fMR0j+ZpbubDlkv60lYEFLzSML2vOYWm79MY+oq5+LrS1ybSvOWBEp9QQawsCE7TeIlGqXu5ITo2cgd+PxBPodD0bjStnlSuN+dnL3XOTumR/BPUM5XQBEu20x7XYojLohjO9s8NW1vRuqyvbykFk5sbwpkcsbxYA3CyQzrWCVzULrculMq1nl86b21Qx9+fne3EBigfmCl5i5ncbGu4z2yWBZrSSbgo84Lquaf5/s1ldQ6XWeL1Vs7/HCSPHKvMJilX9T1Pmqx5ui1p8p4lE4UzKv+WcqUNMk/yyl5ecplb9zU5gBkpJ0DshVmJkFtEC9Wt/m/AzVc9n59jNQz0ffxvCuF8JJt1JymM17/T+75ZfSIIsiFIpSax9p4eZi5VGss0B1zA86vfHHXDH+iAqj3CDwDFRGxIewe9eCg6Zt45Vb0ZXEB7yQ1UP56J/9+sH6Di97Lbfamzx7yuxWdj+Woi43uD0DRX0bSDjpjKCHKsGql8dFPMs12uIojqIE7lZpu1XaBoW/1PD6DIR/cnsL2eEdvG9Wc9YoDV54nsK/MNRiJ/w74d+A8Cf5Gh2XhQ6PXMfDvXgwMMHcSQrQVVN+fr48A2efPoCsi2n6yCdI+CmRDbqzagrJTz9f//P088XNB+JyJlhf3qRv9/E6zSz5D8xV5+mdTXgkrBpL8vDcnymd8X0UMI65Y5hOjXchcZN2IG1nHG18JCpi+j6MqN3AltZvzInMtktKHPJUvTnXRTf7N8kjb9Kh1/E9fkJaPTDzbkqoPuF4jILAMfo65unpSUWpTPsBhX6eVDTHlG5ANMty8V4lKvHmSk1X3qmrppybS8RRiNVr3PycfIFL/dVvXpa8+kzIJP/yImpLH2eiqpsYOa2UQ+9hxJVBf30RNbPbQfvmnJORohmW7o1+jyck1poCK7AbcyInDhYCU0lQIFZVsmE624C0EzDtBEw7eWxafos6D6flJWcDjkLwMwmwmE6g4Cp9pbOAYCpvQiGwi8XL0sYmkWWfBR7moroSNglyk+ZPqnvpgS1rTVXdW7osml0TXSRz7Y3J5fmzeWOz+t5Mx18E5mCm95fDRlrPOZiOCGchptIZIU60fqjMU6YTqnoBaS9PylrhCdkAa+kvsihpu+kYfEAUDTC/uZi+9gsgPIoixEPGpx7tUk5sVD2l4DSKTlVdYMuAq74gooBQibka/ggDYb7MUupWOVk5kgK2m8eQU9tMoFNn64kgy5lRQwgmX1/tlhGC+jsgQpNLFHtEmvy4urmUE8eE4r+trX9svir5Hp6HP6GjegtXBk4s0MBqvLz2cVYLuCwMEfU0BWOBPSCZoeTE1FkuklWIlgrkUWiLPpghmuo8HWcxH7pjfB6yhPc6/clTpkHfCJG8ZMO0UIdmxPJmtkXzcpeeZsaC0EFG4UehXzCxYbHM+GmozvUJoB6K+dfTh3qamuvFZwILYkaeX14aK+hPvHTzlOMG1cCyd3pKLsC+zaJVGi9r2ECPu+6Zq7q+0oeXM4yS3LFkK//jcspYOG5AFiv2039egbP370AsSaC2Moo3zLZshdXVQ5jAo7aDL5sqny7bHv6tlx9Bdw9b0A1Y7EHkhYSq1V0aCqVnuvlP3sNCwkivVQo5qFajCB6qDbU+2HGSLFWOZENM1ZXaG5cKsiLVxa9XmZEqaQ10a024mR42Q7iT/gH00RietO6WS+/b34HJAabNKNjlWIoGHoo6CtE3RtFY1F0WNpJXSN6gsb+f0/AFJtDvVltscak1WCQbHpLIYwOIBpjKBg572POwZ+wwqkgrjSUVE1NExFkPr1Q/OQCAKz8heYvVG0iOXLywevaG9vdsoChsEHqLXaUpJXPMb4fH1C0apzzoMyEhoUKiILDey0Ify2rZK9gHnZa4QSwk5tlL/l5sECF3iAZ4ihybv5k8JTHTra0uutDl2DPHU9BIU5lyPmzDmGoGwF6uVXUVTULPbo2mWuLffTi/0sLtqvf0wIgggADFcsz4MFXbGxX48WAEx6IHo+zTzWlqpRuN7I0HWLOcG3NN62AcQY+NacCQl9sbqVV4slXeb3VP6u3DTj352wiQxEI2QiwRVHRtEBRORSv3aZMcg9MOjpr1dmO/kavyV+K9fbaMsMbE8S3meCGnqApb4BW3PYAHrRjeRrZE+5vnFcUkhkf0Z5aTBkOx9NsNPVH8FUUEjsy52o/IBj0kcLfjeNjNRa7OLhNMJetG3TQEhPYZDzfvvJIu8VDHFjRmWeKZoVr36pphNgEbs+pqu9VpQg+zXj8WLpIYMrXqVp8LqjELdT3/3VYjm4u5VMJXvhI/S2oUlt+KYpIjKkIiAeMp9RCImDTMFUxAiALiEhabrd1Scj7sPLSTbQiXEDR9U20C0UGhe0YHhF5AKNbLw/2YBy5yfbw/JXzhvogCIvdrr8D375a75ivs19Z2T2m10iU+VP9PkA/KuKN5CAkdqHeHkrEAasL0Ma/GCD6SnLHQ4fguxkLaWOEUnH+8AkkFs1VHHgZ9xgHKOgAeCxF5HOmlxGbT9qio6yERRnNnpB4RLuOeUvL6VDQidYkDPOAorDOunZ1cj9aTaiiKdM21pboS7Q6P2mpJL5mr6BZTigPrMfciwrEwZNShWDqESh6LxJEwsFNwZsYFeyJ2fYAEoCGKXiW9BROjl4k++zZ9AiQlcofi8bbh3c4RpEEPxoEtcsx2DK7GrOgYIiFcpA+/+xGhmrbfknvfBhz1sh9t9YvHQqb1I6p/fV14KPsPVTOZvNfnkOYR1Ew3wgXHhILho9OFCaVS7zNrm5XYIyIBdlBfYu54OCC5LmZ4I6nLwZgzqbS5iEWUU+HaHDLNprJR4otwAAN8DENh82zIeZcWTtCSAzTwF9DMKijVnl3MhwfqYwAZRiU7+2RxVx8yvaCvz3hY2kP4kuTiSa/GV5MxmV7s6z2l1UF1f78MxnovPVWYLlJv0QjpjbEbIMPkA1df91zXeK/Ow+g+pPWMlK3ecAa9d9UuyuG7dQ+ZGEYk0t8wmkif0f0i7HRpCiC7nCItKAWu9ZHw34B//6eCJC9cwaEHgh8120cwW+x5y9Z4xemkA31yi9zh9GwR9gM2fojK4A6hzqywl2qM/OKQUEE8DFj/0bQF9n04iXrwJLKt/vZmNnfLGdg2uSxvtWdZZg5Yzbpb7MUk8BJ1wGOaoWrOsG2tcKC4EH9e6RSXBCQOk+Ophfy+Njc/mEHX3lq6jGvvJ4k5dbRflI0Zz3VLgOhErVRwGMmc/VcfbjbERDSGmFMcNPJ9gj5nYZ5VX4OxT1wfhGTgS8CxiAPdmZLcCKtfPlMLYB+b+ZBj4MVhBIgAkpPBAHPs1TfK7+kC+DY8tPB7bf50+qaWf8MbxVU3dFpNk0yfKJvK6vMUKj3YQnVDZxXxTe2mui4WWE4v1X/qxWysMNVQDvEKLfoEB5p7psMp3Bcui/CbOQVl/pMyeANax83pfxXkqJK277Za0DAWlEwfZVcWDsV8TsZ5i4TDCIYw23ddP2Fgzb96jZiIDKGDxVLzOAx+eG8LKMD3RNZdFAvN22efPl+cf/lweXE+p0DfvgV//ncu3d9idvnP2hrzSSnNkTsMUaT9W52ZHViB2r9SNqaA9ZUuJyOlsFiQNddT0+obuIedysRHNlj0wolJMi+mw1L3kunRDXEd3+PcVTR52hPTZvMAMpGvruSj8s6cE0lcFEy9DPF9xLj1aIXjAfaIzI5DTc2si6mLoU9Gj3WU1uOlRJtZGnE80Mdoai9tBm4ci+cOzRIi+8MgTMjpD/HE0fsfJ0SuT2hKZzMdpRco+5UYW14mAzDqIOncsp6jM48uRh6lIKZp+Cb2wC3rGcu55xmeUN0B4frYi3OnRJvRv2zQg24QQZ/Z9G91zFG1HRYRY0FDjboQuKkK6vtzRVKf0hQLRNUIx9zSGBlzc7ZSTh4BNgHJucU4y5cK/7vc26V5eAAT7sYelEgM1Z7ilvVWlLlCDatfcIk8liGSblMex3QIaUAg7VXLoFuGRfpi5PFJoDp38vvjyG8pXMo2xTd0R3ByyOC3gW2/Xik90Kalt/DAVbA5H/r4SqkoqymKnRj/cGJcimi5TTGOiYB+6wB2rP6lT4hl+TAJfOLpeyeVP5xULoCN3KZc3qMW7HVHkLZt5p+KeaM2LV+FR64GNPjQAeym2J0wry7MC6AFtynMYfsA3vVO4ImomBS9DKbvYbK0myx38rWmfJWj921TvjrhPaRdBsOwWqraUiS8nXzt5OvR5WsSSRZqOy3igxJIzISuIEAxVcPRAcMA8UEcYioFQEIwlyCZ3sn1KjYqYrf8ADbDY3hrRU6bupUyPfTUJ8iNYhhxwox5SxHUYxRJDAM8woEpGaMgwBIiz1Pd7ee8lXJ+qmq4HFGPhfewNejBCA2wqBVqppY4HUIah/9LugkPZSVCBMWS1nyl1nyt9nytdq4WJS72kfCTywkWERtjvoxPN+Kd12nqGGVXlrBx56QLORYs5i5O3OaqW/imfIrpyMqnlwmX2qBjBAiRdFPOdDUeizsB4cYd5jJsv1tbTkHNJmr8xrx7+enTe+fL1cVnpYfMxef32e/L06srdXH+6ePp9YXz/uIfF+/XVztPQaw4Eo6I0Jhiz2BL2chlUI5S1ZJUNy5iESdU6hjnR6JOs29DIZixwGvf1vy0FiGOqczVUI/vMxYiSVzISbS+Z2ALEkqWm81bJ02ogR+JhFHcC4gL+8gldABRFAUJynFFmvHACQehdISaGkvCUrLZFIQasEjLmGmg11kc97GSrATRB7hfPr8HxSD6zRLSb61ASB2VFHM7IIwWxJiSe2jeoyQI0SwY6qqOUrEgKxI+CbPi32v70wVHoZQTlr/uczSUJF/ChzLAMin5+gBH61XYa3lARLd1kAvgRtSbKoOHxUV4SKIeEjgBmZtd8swwWFob5Pg40w3IIM29TgDnksia14Bx8Mv19eWjBLeGdy04OaJw2G9bGC2/qJ8y3XQRXzOLTST82uusJsivQ+dvqWJ7odR6prQva6Ne+bMtt9JiaJ5V0vBbaZflD3NL7wxL70h7o4D0GkpLchT2TSSeMAOPxaTH7m2vZL2TPqZPrN9hKPyTA0s5nx9wWmytH9jrh+XFi7++K3zEI0vTiJV+ST7bmeaXcmpN7KzxTfiHJcXpmIFaOE9r4ErR33Mti+JknuaqTWny0x+oL5FehMybXrAxzS6yOh6SOPudVfb62S/C05/Y9Vn6O8i6CkT6KxzmKodDOn12OJQ4zB4ZjtJf0TirwjHyAkKH2XU4/ZXrVgQYZx0JKSfZ7wl109+Sxa6fXsRqwksvRklXmXRyUzFTAG0Rh4UCJPBBe7ak25ktSR+SsaTvMlooGM70rFigcK0DfAslceHSI9xlAeNipnD20V6cv8J0VLi8jxD1ZkoKn6SPXMmKJWFhHH0WFDoYcBZHhUH5GBVq+ExIUiiZuUpBUaZFt4wUPl/KGtk1G8y+d+gdznxiU1KX+F6HXxfGGA77pM/yJWq/WLguDIgyP44KBWoNXCiIw5kvxQpvGSEhcbFA+q5feK2I0OGkUMCLV4TKGYrqsn6hRN7nLzlGgXpUoSymM/wp8F3h0ketma8pfNRudyyFh935woNjS83D1qx4CZ9jr1gQF95FMF74pHNCopRs8drrzXRRfKREbvGSFOgsMS5eikL3koSYFeVS8uJVTF1UJLScfYtEb6WXMZ0Xy5iSu+L1rAjEAhd1wbjwYmOfzVyikKQlOuGF63PGspkjXRF8fZX3DCjd6OnZJ5yIu0AfGYaMDpj+FTEhBzwBncv6+dPewi2jWrx4vVq+xXS/oSpAF+jTRgwgqr2q0HM2nNK+f6/tRwNnjIINoCdsb7eqk3D0xdLAyWsfp3VnIycfLWQyO2PI/GzscDiq32RstR9ou4cDLLFD8dhJONVGl9MpCKVp4AHhMy6DSRIbReTjwR+kBOJdm8uvzdr553+7et6vuz4i1MQFmXqLI5sqxdtxbIKaNES2erzGli7UTSLtZodYqJNG2+kBV+CVVWNSD7sd6BMPQ8QlUcunamhnCX8kUOEBG9jZIz0WTLnDwGUkybxAwAaagTZrXMhiqlp8Rb74bYpzGMtQo2DogoANGuPZgt5sQYCEDNigUNZHJJgtExMxWxRiIbTtoVBPA08VilAs/fps4x5jcq5wiDnVhV/zJ55aUWWwADmjWc6stvaJ9Mqs1zxqQkI9NWEwDjkO2QgFFbkvCtjEiTgZLYu4z+INvdypp8ZVU70/kkq6jb9ZWK/sXHp+xiiWJiN1kAT/A1qiQFgUORHmIZFKun4CZ6eXztW/rpzT8w/vPuZQPh5O1KeJ2CzUmI98T6k+En647OhRz0jZAkHbIRoeHjWEHzaARzhWO8XNHi5meLidUmPRVN/oxVs2ov399ZcHq8rduiqfcDlxIhJhJ4mLthHgMgU0A+eqPlD1QbJqNMfAxcaboYDAt7DV6kE86VoosKc2YC6u67FjKvlEGw3AT+Dy3eWF87cvPzs/vz/9u3N2+tH5cPH57xevlBjq8Pxi03sil7Z8m7ZMZTSJxCngUSfRNs311+6V5LPZPYZ5WsA+48vaV2KMfOcP4o6NckWn3YZiRGDzYLSUK1Yh7V9AE/zBSMskxdLRgAkL9e75tGIRplLjJGTrwBCHqyjfB8ZjY99CZjwPO6jHqiOUy3ALXRYE2JUbUM4nMOlrAemUBkcSQTVZQX1ikGTSrEarCUUhcXWAF+ZpgolF+bFTqpg62jKXdAJMJ0neCT2nLiVaFcls8zvo8W+w1bIlfipZo2PpNgKvLlg94libGl6DfKlOL5G5zU3L6l5j39z8uj3vtmpeafmWlfO9PpxZK2mczYBn2bm2FLVoyrQGc0+yJ2RacQhJhCBjzMK0pbkvNsCya2IMbYfjt+TPCZbgge1SDexSDRRTDRQ4hg9GzSmPzL1uoUBkJS9S9WIahw4J1Veyq1qrm1gKhBsQoU/g8+03o2czbCu8eDudgy7WakPRZRj3sCs1/7iS25zAanrEevgbINsWjub1sXUgSlBxftXIYyBknk4SNcYcp6QyaaGkj4Fu/agOfZ1728KuaDXRo1h/hb2cBM3jdpqaPge5uM7np3js5NYXM3LDsYupDKa5Ladmkke1hByMmgsFxvURHWBHkhCD/wEHTX2UmJhEdAVCExifZiY3cxNnZkQpfAhtwtPlGzOlzNpoCnUSE0pxiIUaKIow9d4AyWNcuGGzrJj/NIjhwRyE4YJBlnyDxx+qIN/wG9AqjBIswmFc9KWrGK0WvEYVk9WKcmYcAGxSdu1jYO4W0mM8qnz178Iy+cqUWuKysFAINqTVDg5SrcbGam5hHMYC83X02piHotQCr2+qwesM2o/6pfHIFts686XVcNb+0E8QR4Gn+dV7RDo6iLHsG0/rgl5iPM+CHhGgeBxMUsvV5je42UFaLCxfP+cknUN5I9SJowhzJ0ATzPP+KrlKtolnWs9m/rL1sgLe3KotfwJXzrv/8+Xq83f19++fL/XfT9e/zIKM5PcFZvn4v+43sGxc1WTTbrc1XLReN2bGK6hNfposApo1xgOcb7Kdgzah4nvpoJjYGZMjdzitD5L6CQ70tNFmudB3S1MPqWeCv+SXKSg5ij/9cv7u2jn98u7c+fLx6uJaVfjzv6d28MJM9x9DUb0/NLOW84BAO/PWbxY9Ju8GpP4rmYiNL5gz01wUanq4j+JAOiMUxPhNsdvlK4miL4/5L/91y9+h0IRQH3Mi8eyTVl1iVHijFQf+3zXFAc6f/92LSSAJFfU4Jl7nP7X/XmHgggSYykLReuuWolgVFkSrC1ah2WZFq0ftqNFqejWLeyNNM06K03s7qdL/rcicL1iqEgI+Y7kqtxWsIF0g33izMube2jYL+THXIzWLmUlsJ00rM+VOmh5FmgiVWPtcjXB5sPdCkcr1API9bFau7k9sJ4u5zQneBXDuAjh3AZxfC55KUk6cnNepBRTF2EZMJE3F6Uhd6OW3+ZmmxC9eUTx2dhPYC5/A5iaJ5zmXDY+FoyPNzMiNz2fECLW6rC6c1IbH2pmNg6SvpIPNzmmoWQp/oZ7tJM+up++Vk+SnkFZ1Y57yOyl+qVKs2CgVjWcpvwkXVhbWYrvNymjfcy0yauBCplBQ5+fO1cXnf7w7u6i9BrVP1xfv02vn4+mHC4NHVlOPrCfOKP5d3WVhIxl6TXUzPRFXFdebkHcy+jJlNFXEz1k+c7NEZVGleJyK62OedHaHtt3iM5Ha/ORbjNdb5RB2J9gvWrBzK6wXIuMPPGmdl/RHPHUd3tosG2Wnrtn2+Hmpgp1k7yR7Y5KtvbnEhLoOvu8T+6mujwF3A0Zx5t376L5UdImv4tS514xMSSM3eFmgJvpSx+Anf4Sr/3jmD3ej9T00Wk2oP5fkSC6I3OocF6pBNsIcIvWdKFJbZRhxJpnLqoW39wn1nGkuTat3tqqTeb4JjLjrEzoAfcaBwFQQfQrffzRwBdm0BdoWHbTUEO3J3XPvtkzdrUCrCnlKDw/bMKYGYcGD85+4An2WgKwuoI/Vrb7Q02Zp1R4P1qBVCmW6NpWWezRu3FV+4EYOCT17eAMFfz+7BO8+nF8ZPAgUBNgDI4K0o50cMz58FChSzjqQ38awNbIlycKVkBZtBAuxRGppUh8wNtAeelodBQ2XhVEs8YfkfmPUMiB21MXp6kVJD4upFI1kTmxINsTUQNu2uif19mGnnvxdp7/1uelRZH4eeQKsymlEOu4IO+1m+9DpHB8cd6w8l0DeFlCykWoMzPQ79onrA5fFgQd6M7gJrA/O/nEB1RNg/gmb4crMbWFSCl0y5UpjLa2Zf6bWUFNgzJn5P5kdraYtljVzRxsVa9r6VjMWxlpmH8z9MlbBWmLVqxmrXy218tWMVa8WTv9Mn5Za6GrGIlfjqtBY22rGslYzlrRa3nJmjyD87fTrVFsOiKyV1pq6ipqFS3l/s9Y3rnhUkBHegHwsz0rRbh7MIwa4AcFUWtsuFwKfeB6mJn5gZvE4Iwam5nxYDNCAbiIWEXEJiwXos8B7JGC33qBfxunTFejb30GtnkMJKPoV/F5r+CzEWYyhDKPs9wjxwnUO8WV96q7qP7wm5Mu80WcZUt8pnXcD0RQWEnFDYEE8rJTZYwH33WIfto4xDE9scBA7R5Gdo8jOUWTOUaTMGwTM45NtANBy+eTU1cAp2VbACwklIt1lFwNXV1VlI0wGvqO4z4kFGlgPMrPcM+l8NJMhKcEv1KXvTI9A9QjyPZarsYfh2twflS/JEtCaZOl/FTHWx/zdZZKM4jOOgsk1e3cpigXnLESEzhR+OD1LS64o6Sf9rD9XrYCAc3h4BJE3wlwgPoGEQuljGBLPC6qtwknkuD52h46nX9BG4VNw/vEKBIwNY4NU5Kl1t9qWI/DuEujmj2JH7rARRHQA2wObr4dHRf0uxkINMnf2RVxEffSNRGrtqfZ/JIIoIulVOCFRnUWYquZJmX4DEtVRiL4xisbZjbGPJBG6CRqiEJle5iFxps4la5N++Za/2eqmQYzJnhsa+JY4kfWHbfxJ5BgSL+SE5LUN0bGnQ+MNsLFihSSHmFqqqBs5NMPNMEQq3iSyJeV1GaXYlXU1irp69pMyxUumvI6eFA4eqG/poCBgY/s25ELXAJKjfp+4IKmZwCSk/TwKyY+Py5HK0j1mOoDaDDyJmZt57dOX68sv1/X9vb324W9NePj1+177tybsfP3euvG+/9aCJ1+/v7rxXt3U/3rTe/Xvzn/q+6dnZxeX13OAJyLDO+G1vVb76Kb+6vteq2n+HLVv6q3fuvDk6/RaPSe5/r+64OC3JmwlFU5Ug+6xueie3NTbh52b+qsN8NTqm562juklPG1QcdfDXScRv+lDSlRHiDwMEAUslj0WUw+8+3wG5hpvlnvuqC1rYkFhRIxL1X+32z1KlnDTm0Q4iZZ7+zZvY3owZVqtdEmmD23Vuo0XTB5F9N9WHi8e6rjhh9lJbtEIzeajcowJ00411SAj3TbTUU0jrW3m6l06KrDbpO42qbt0VLt0VLt0VOk126Wj2qWj2qWjmhY863RU2YyzKO+wnn3UmlRNWrd6PerjIMJ8A5ulreV0uo2jicR8tTyx/9tUVhtQ3GNsOD14RY8YQhz2y53CZ6hjlgXpiiBdDKTrAL0ESGZ/PfHrOd/Mj8lMryd5rTbTqT2d1bMJXc/lZhrPzeB68k7n7XTKTmbrZKJO5+h0ek5m5mRCTufhbPrNZt3cZJvOsenUmsyo2URq5s/8tDmdLfUkaTRpJnvJTJhNgEabJ9NdNsslk1s2p5l/shksmbiSDzGdprLZKT8bZZNQMvfoKSedadIJJptX9JdPZ5Hp5JHOGXrwuRkimxjMfJCbBjLtb5T+VNfnVXxes+cVel6Pp+o70dqJmku/f6KaM42cvL/Wv4naNdo2UbJT3apVak6TpgrUcFBOXSZaMlOOqU7UqtBowEzxJeruaxZAPCMuS1fi1lY/tjvJKzsi9XT7kmhMmChBPRkkRQHqveS5YKjBaB0DRusoJrBPA8M8aK22yqi6G/Y8PpQHkJAR5KNDi/ZXD0wGWjcPd/qchY7JWKEepr+6omW+qmbiDC6a9p3k0PZ1doDrmNGbku5sUS8q3C40TypTpEWK9h2ONQY3iUad5AHO54v/fXF2nX8cR2N1GXuR4xGkEdyJTs2hLhahoxde5fdaHwUuoxoS3g70jiJZNwf4Xt1DJJiownvzAjDAA+ROYBgHkmgXbREapG44Zny4kRXOAYwwF0RITAvOesvAHVfpIn+a3DmCPcYkZBwGbMAoRLFk2p1lqRV7A+CR8yK0LOPZ1L3Y8LHBjSzK2EYFyxv24EnswaaLlggWXZT3bAP2xseg54NIlFMd1TSecQldMU1OFSIFfADR6B7et4YP0n6bsBM8S/osE6dVKJV6tT2WS9vg/gB20CEcnyyTsHLi/YgSJ/gqmWKShHMGRBdT9aY6AlGj4TNFWRxAEWGX9IkLOB6o1+GPY/n1ouUQ0iHzTC6ROTutzk0VCr6vbdXm3cX6SaqeAAM5oVjyNk6IxF2M1UpiMemIAFlVRS4kAEolUj/NA71JYrHvcfXRpVrCGId5QgGRQsf/PQot+6L8GCFb3fPa/735rb5/8/XPuf2PyTIye/tVISQ1OS2KIi2qbdW2wAt6Gl0/ydyqRvXmQRfmSVGN+iHznIAIq1l2pYwVw8dOWHE/OloqmGoQ9iApNd5N+Mqt4DazyVwWw7inPr7EwvGocDCNQ1wIeCwSKqutfejma2+WIr0jYaHIvKOc6h/RSV39X4zcepIYqK4TQ2lyFdrISaTbXH3+h2VKfCKvt043c3pKI6UeRsHAc1DsEenENBYxCpyA9Djik3z+hrlY3/fnjsbJBiPEiZ4OiQARi+JA48r3JgDpXGoGdD4fjUEC/Mg5dMMjm0dEbS5Q/6aWvsWN2dXe0L0bCkAYomg2SuMmDdO4qb0G6krHZaQXWWDGjdHQxV5m8O2TxdQNVcr6hup6EWcJYcBPYO/y86dr5+L/XJwl+ULX56ctpIYKPCdJWFeVsS4/X7z/dHr+nFjr9hjBMXFhb0QsrIULUDC/16bv8HbfMIr2ic4VTzlmAxp/G8QlvQiFDu5FfcdnzJoc9L2hdlK3LhhQNbMpGf/t8ueN0ihbU/V6Fhr1on7dDT3V698uf3Y+nF6aFIgXJb6RZtQ3dcE2QKHVI02bh11IaBRL6KJIxhxXIwtjFE8cGdPEgdUcxVqpo6uC66Qq2EsCQw9g56TVepXGjU53Po9Cq9uWjVbTA/5ppo2rL+/OU8yV6f2YaIpOS/PplGfFcv/v79/97cy5/vLx9G/vL66eXPQeJ79yiMO+hnpA9k2svg9Y7xa7Ms378ii07N7ZnNDxfDCkHpE1IPJteq5ns3fPpN7M+1DU5tMpzqcEhbocqBs8TgvVT0lCrG82QtabNEwK0/vjrtPtwB6TMsBcIytA/VXggMYNMRGQMyaLo9CLiD/tTdFnkkW/50ESuTAxzBffe2rC0p/ljTbhO+aE25EchYoDKAZ7Hg6wxN4r7Z+/qOrUdeDhfL3qlq7bbkKO+zo0Z4ShyzwM1ZRfdXcXEkp0hvClYVXJiZQOu4nDqLDDS3sB/ZiaxZTB6WehGLmi7q3gC/Cw8CqvVbosKOQE/0AoOV+YM1yPdP3jmCozTvMAMpGvrj7hQwhIB07EWLBavIzxJk+zUrl8Eknmxpxj6k6S3oDqbSnFHqKqwsiz0Ks8Xub32n49JBTfhzwLkSlcqgoUUaZGXGdcm8xmrjUOShxFjMtcN3Mlqpp7oNulgTf5K3U7ausCos28+Qt1E0sfczW4dBizBapSv51/QOFKP4ApRVIPtY0uf6Fu8ihAVNbvJ9/U3cJV8pkIHTAXI5qOYLZo7Wn3CQ4b8/xswsAW87N6XDDSlrLzj1f6wBAgIZhLUBYDapg84W0d3b7pmAAXfYMTPoStDrbwtz1AcMfbG+XtR4yFfAq2T7LNGgAOjg270IGGQNJ4YlYgpM/2bLVJe+yBHGSOmZPffTi/2ijrZzjoPRuqmBp+PeaBnmYb+40QSwQ14hBB4TSbem6YDTNHz56lp7uSLF9empGw1W6K/AF7acWDplh/fbb69F4BumghX8RUOmpOdPpWDrhOwlsN4c3psl6k6ZYpKsvjmDazWf3etpnUA6gbqZjuMhqauuZeXzj6RFcJKRthHqCJzblgAxJcbb/YbbV0pQhDyWAueLgKzZahrSjC6ZpW3ManIBvp2VDRZ+2ZMZU/DlGUknB8YjddpjudBODIbG90u0f5/CG3+bIZydD/6qQXBcAiNfxGKwEl0hft/MVB/qKTvzjMX3TzF0f5i+P8xckmzmlW3c+uCXZEsTQzZ+qwaqPv6dyZtZK4MSdSYmqOtx8TO/BbvwfJPYOsM7bQPRc3yiJM6wbK5SfwyZyWpidwhSOOFdx2s07VlJpdALBnHjI9AFLTcwJ5pepObxfWq8JPV5Pp4jNdIg5ZPnICqBl55hEJD8eCZ7haAellv7F0q+BvAbD2ZF4p9LnVPISEatQBHWAKJUdU9DPVvDqfpkaZZJFm49SPRTacgbTJcfGXz+82yqPijsC71jfIqM094r+rxW5aEUkjP0qAauq30WC/9hX890ulo7QjMp/OapHHA2Q+mrQh8WPoh+3FKmXGsaUmmGs8kz1itpXC7LXVbzW1agpRLF0kDbWoq09nqWq2Rjzvq9Lk4dkJ9JRl0iNnxSzaIUCNLGGeVvuo3qw368lkuB8y6dXjXkxlrAazXwNrz11bZCvHgl9dhD/J3U8tRRr+9jEnMHTYhhzfwYFv84ObBedblSXyHJHR3mH6RUVK/4gJqZOpvzX01tdqG5lcXyd/vbf/n/kRR6r3fJOf36qL/ZIH5pznF/Ha+ky1TWzyjL2W7U0Wq7DH3JuMm99gt0NhT9gciF6URvvTTqNplnORLE9Km+65pjB9hHr64EabIYQgvQAnvSQgL+YxG55J003ZSffEwnc2q6EZk2GhHCOpdfbeVI/lEBmDWjlaY6QY6ft3YG9JF7QczbVM1ZiJakbCTxgqiS/fr319tfbSeXthaYlicgQl/T6hAw0KaeOs90q+QIJhDkz4qnFQTZ0fsQdQX+I8qL92bAePlM/qhNvCN2y8Jd3Ii0Otu6TwER+uP/Gs5NnYnHo2Jp+3Im3GTo9QxCc5TKflc8308+NpBDnFY2D60lqzrwG6CNXm5mkDEq4C3VmFWPeDMWwfE9g5tuU4sSv4wtHzjNPh7O2Sk2mLb8JGzti2ofIHnC1G8Uxtd1hI1AuI8DXFp8hrQDLTy0Ypm2WvGdjEcLENWsaU4mC/rkdV3wjMYkXKtOEY92AR3HRFeghMJeZLBTGpB2JhnAN6HKMhiyVg/Uda7E1B8VbIJ6Q6T4ZYXFUV9go1ifgAy7ctrTvftqwoyBuQqyc9u6bSE4Z8ml8CQq3n1x+vz69S+18fc0xds1afb7ZxN5zOam446kXqHpEv0M+G9fuYCjLCOkF12aLjFAwpG9NccAaIFMuKJGCNBcBHAvQwpo9zIpRSpHNiw5m0waSo3fRE+ozup3nna7/GPXLlIlqPJjolXipqI50/T72bkJwMlSAW7r4Cr0pgInQrIlxEa69rQ48MBpirX3EPQz/WMv26xtFwiIWova5FmKj1mUiqaMlJfuuIibRpQJKmGl48FrXXv9d6TPbgBnbqKyyYNp7ziIVkwKy2i08h0SH4BvlSAAQy9eMB1yeBl86qG2WnzkRC8g1DNCqFMY+JB/7ytmidsKETqEez5C3WF//lKPSbT5HCIkyncav2xFTZ2kZV1suakhBVsPfh6vMrUIBN1sp7o/TLUr5Fxxb6zdqA3oJaQ0xEw4TzNULBGxHiKMRqJI183GrORlS0U33/5Fx//vLx7Psn5/Ty8uLj+fdPzufzf37+/sn55+dPH9//C/wFNNel/hP446h3EyJw1Bf1GLMumJI62YIpW86CmVabpeVtsDzaMRnazPGTnoOFY4RgA3PwciFsHp4UVrnJ16MDqDV3xBVrVSPMCHPNgw6mkk+0jXyxJBZCyLPmMxvJuc42S7NmZMtXZJM/bXoXOOg3+l6jtZ6cPdLSdwsTY9SOCO1jV1YE957ZVCKgwbVn/UMv25fvdO8gRMEY8cfRwazFLDywV9h49lFIAg37cPqz8+7jxbVaTy2u0X0FloKEz9XQn+Evb0G32Wo27Xf/R989XFtZV9rnbhBgPELuEA2wM83TuXQHfGma5FN76nCH5MD5Me0e4ZEHR4EPDyaliSWtnhQ9QhsokiZ0Jgu7iYaDQgGPwsK1HRQqu00j47SbFUQkMdrrEm25yJdPK05i8yBhxjXMbgak1xAURZ7599G25U87JRVqzCegTBlRiLG3GE3z2sdJPcA4cP3kd976lq4y9AHiBCCanW3ryoxvdiMZtDFEQwR749Jkwf0ZKO6MW/Tga4XQsPSV7JaMLLjsSrUSUu/l1t/BPRRlLM8tJ8dpHlQYIkp0MPQCN7aDVlbdHEpAjkM2QlV1l5DYEaXoOOVpkHTLHqEwIEMMxKZT9Xe6TTiYCBjcRRauKEmElI4pDQ0Y+EzI3LXEPMxdDoMBl34SicD1wqzu6ov0OLou/Ef19680ZW3m0HxK8ZVOzmeiuHTrzVM7XblEolrU1iNR/CWS1Rz+PYimmOLUwyc9QCx0s2EaUxt2x2KrSJotdOoWypCQ9Yiz/GVARjh/3Y9p/jKLAerFPHJZEKAe40gyXqdY5iqS/mQaTeQiivhE56MWuRijxKVSsda0sUdFwAZ1dxOZq7dm9o4wDxZ4UWAelDuJpr4Vj8I3AV4l+Pwt+L2mXmG/VurIkCRbnvdjuPp09qtzdf354vRD4skgmDtUHOkQur+JoOsVqdpuNYsniqyvZ3eJU7tcNaf1yI/WdYyJ/OgpvGKOcOnxb/GAN/KjcgrzOfeYlMRCh/k7PUK9HImx1LhjmBbLFI0iWSwz8ArFMn3MUyziGHn7z9ph5lF4LEJjHVRbzmy/XIIx7oGcdgJpqxWx/B9mOPyWfcMlLjG/1yI2xlyPZb/2uuaGXh3fzyRotydpiPxIV32tfkF3QEzDtSm6fKu5cWIyaSyYzhj3kiQNi1KmWUk6zc+gtpqFvGlLifwQ3XF8u5JvenEzuUuTlt3ZpUmbKf6R06RV8z0uGtt3SdHMxS4p2i4pWla0S4qWluySohVKdknRqiVFy4e5WLE5pgtuFCHXx20dFDEg9F7vpiQLk9Cbmi9llMxepR29/V1vJvc3gJK9jXV6ulVxcBgRjp0YuU5vEiGxxGuoEGYVIun6GrIoOwMwh/xfTs+A6W36GtrL0wCnTx8PzOOTZ2568zaIbQbtgtdnsrOGH9klgB8ZfQfgGPxi8BWgC/58//bPe3uDCPzy69mXN1esL8eI45sPxOVMsL68+acZGPgSqSXJq3ryN9mg57t9eGf/7yacBZ/aHVUxjMbtW2hWPDUup6npUEP0RUU8v+ruqA9jFjbplDHL7H6dMzdkNN2zJy+6oU37k9NJcuRiB1FJPNyLB4vFPxZYaMsulQTq+gPtN5wJuWSgFzB3CMzNTWe6iMYxPIqPICE2LwTzLukhu+r88vrz6dmFo//9cPGIFrmVcUS67TZMv42l6soEI/R2FS+jgm+ZaQNc5ilOlgwgyqSPOXgMz9xhFMKjoQ/vv9lQZEpJdfnp14vri/+j/YoWVjo/vT5dWunL1ecno2zz8BAmHxLOUmdF0o7pkEgnc5x25uI2FszK6dmZNq4kR/GMC8D6IL90UNcJoHMLdpoHnY0SfRx9gz0Swi63AW7NHqRpf8J0qRcN1d3p4Xwenvnql4v375M59fL0+pf9nJeGrpcLjj9/d3X5/vRfSe3zi6tfrz9dOlcXV1fvPn3MN0wBoddfwFUKtXkcrGcTIeG4AXGUeNvY5VJXMdKvGCbibEQ87AGWBi1q0zNYKQynClMMjvpw2OdQeoshvXOWuDTeo8xS45agt0DXYo2D7r6Ie4msTMvylhR9mRhT0oJITupaqPZnH/Yn7aaMZRzpI8oX6qjMERUsVEtQhzK7I89lasab1tXZlFO0cBBTT4cn65W92tplWRYI3ux0kkVyMZtz+QrgVFmFAnhU3l3RpPFI/Ag1hnd6oVhjf7/ocphes0iWQkQFbFC8Jr25MvWmcVQoGo/HRSSpn37K42FlK1Fe2/srebXHdSgL/s6xdlz+TqiQPNbk/u7jIPrus7EjmfpzAyT7boj5qr6/N2Exd7J2GoX2u1q9JVUKPalHi1dmV2wdy+eLs0//uPhc37+py3uZZJyaqZnqaV67qasH/Xn9FfMyB7nOSRMS6pMekWluo+SFq3l4c9cxkiGcFMvUJjKfz0BSDcxU26wcTNo2OdgrcP/eqr74r1Jn/FnUNXNar9iam1N/RrXbZFJisiB9fVWShXjaz3R+zuTnRToFr8usK6U0bB7MpjRMLPPkm1kxJAxWjX0x8pxh3MMmoMvGutc+BtMaJlBXLRTMLvSR+PhubMNqWqSgG3U1yIYZpSaV1tWF0vUJtYUYEo49IhyBqNdj944JKrXR6Vy3Fekyvg2bh52DRyEOjUblSoYUoBlTcUmyY+in6YQYpXCNtYD0XNiut08MSGN6fdCcuW7NXLdnrg9mrjsz14cz192Z6yOdymdpJnVNHuj62B1C7vWMK6gqEpiPNpJ0ekUXnM0776WcN8JOIYVzcWZTldJUtdmp3GPmjRmPDsrZr3yOs09tD8MTNYRWvxDrJ7/muGWGr9djFKSJU/iEPhL+G/Dv/1RgpeUbilb7BAofcezBJDtmRZYZECH5xOExHeLJwjXRKfic1Aam9pR9Vl4jPexQt8t8CwcJLOvp+Otq8LlJ5pdfL/7lvP90dvre+XB69su7jxc3V59+vv7n6eeL+ZP6mzOdl0T+Q83pjN58TjyH1+2EUReXdpTaDf7Jxt3OQfsj8yw2hCojKzdEfLye7edaZ1VAAbjSvHzzzhjBF3TyrEey0od+0tFc3G9gIllllbn5xNmZSkhskquohitTNWubKojH1gv3Np+/qnqhCm2TFxWfqnFceUcvmE0CNHGQlMgdapyaxSbCLL0Xkq6PRYJfozsBphMgV8kG9TBG6Y1sjGL1/92/xJLISyZRmBwifmZqv6pKJEuKfmGycP2/Y+JOCiW3sZCO52InXwNMq9Q4k8b0CGqmNL26ihgLrlAYBTgt+oxFxKiHeVLwe21fhD398e737ddUBmGhQOMUps/P+QAWLejv6IgNMbxGEvOZnmc7Tq7dEAMR9nJ333y8fv/Bn57KJn3mv+v6TL+6gfXw8DCfFgX2OQthGssK9Zlb1TVTgJHAjoaYWbDBO5uiPug6OSteb5IhRBA6KPa4VAQesgbHvs2HYma1rDovDKVWcspam6Lm589b88ettUZy3v5gVIm1WaSSPWdN6DQe93AsFqvAaC7URivDpG0uhRKQPu7LR9WHh6WBNjMKAQmOI85Qhh/cSJYFb4a8JwdpqXb5aAQx8d40U40zxLyH803NJpPRYAIaEWcDnqnYSErQkMQd4rQuCdWkxiiSOBaZLuKY4vFMTSSGciBBI1fNR3yEhQQNbVQZoSBVZZ14pp7wQSPVBUnhgAUepqCBsGgfdtOWJBhhPm1c2zdUe2pVdgyFxChQ03if8QGGyUcW0HyTipospq4TYDScOH3ruu66AF6TITUmR1Yd2G51211jt471wPvxcpZ9iP7yWza8ZNf3CK+LiRLuIHcgUAC3MQcDpmp/HoSqLxqu9iKeh1jNPATVd6pvwD74tBqJuk4eBbaMvqpiCoFrEnolKd40DAllFAqJqIe4B8Zos7E7MojhXRDCFlspVU0JDkTFBMEFe9y6sxOYY5onM5RkcjmFwJgaRyw3p9/BW8Pg8tX24jtb0TMReoH6WG3zlgr+VVJxumN/5K36/WHLIuJVt+ra8Jvups8MsMIVljfJzxv1Wn9jTG6AbKv6ix1229pyTXjaYNU5uFDDZWEUEEQLkD7C9bEXB9hzJBJDE31c6kWWVQaqslblq57qP4ykozubzc+6iEy2umoh5fpqeCLvjVNMkZ2EWK9NwFWORZqHBzD7blANTK2sbllvRRImZMJ60nOSsTqY9hl3cVgSMHt18V5VB7lqwGARGZSd5I2XUq3KTDse3MFg0FGvaBVD3Vc9GVE9GY1xk8Y8JEIYcI1aOrhiQPRU/xvHqrdqyfy3i7NPHy7g1Zezs4urqw0Q9PElMiUnFUSSEXYk1wY5u7yl2zkiQFIvj5Wb3MVCRz8L39MxFRmgQm6zV3T33gy5MwzPjs1rd6/c2fbi4tflbrsXF78ud9u9uPj1y9VnY2AzlfS/uI5jk4ZrPs9gBs/lBSPNbMEosUCj0Ot2ahqzS3Wifg2MSS4IvN5qFrlVWKzSXL2+p3B6wi4ks6YfN45OrpyGVqiaAIEiPv9meSYe2TB85/07a9noalYnTjXUDWyPlzqGHZ+k0VMw9x1XJICPeBRH5vw6FtMkH0UymFq5IBcly3p1ORV5MMcvm55v7/qrEsaMV8+5c5NsQp1fNFyxIsklkn7qT/uF3sVMYi+xTqhbyZ3k/P78/XvTMin+oFeNqpukyd/URpJgMX8/nWavkUhbn2ucqb9fXl4Wj2DOkKpcKF+bjyrK9qO4d5tYPZ+ouXLieDjAssSepqPqfjEV9argvFB5QxLf57A3OYHi3sZYJuhz1iui3kPCT19BKeD6t5nrPikWzF7Xvdkecpd6WZF/ct5xrODMmx47f10wjUx3u7n98PqctOpCpHnUhFkIR0WARrB8c1BgJjEJ1UezMdMpEJOwp3oCqopWXiZs088xWOoLbhKbqNWMTodL4xVAeSoxXdiHqO1C5tkyR0xxKXS/1D611PeTkZtNfTrOH5S0aVT3FjXF6PAeHgcd6HWRhWjLPLmWeCvbnAqfQs3YvVONklmgY4pzbRZy/0OxHsXLEdCNCjH45xSwWPZ07rQ0o+dc881wYhZAgriFEzeEcl7iEWiwoGrmnynWkykwYE35PxlKUE3jMdXMHQ2ZVNPYQjWDn1TL0I9yvwzmUS3BLKoZTKNaimFUM5hFtXD6Z/q0FH+oZvCGalwVGiyhmsENqhmcoFoeFyhFyl4A7742iy93Z9x8fFQCX8aZIubyc1HN1EntgjnkUbi4T21+KQvd5veTweU1VGOfuxZr+95Sr9pXGzG0r3LStkkHJLBciwVkhLnjth0SRgGi8mGWedMNcNsg6WYpEzxsZ+f3bMps/mz0I7u4JxLsz+/q9O2zJPSz7P5vZ4wKFuCvb958imUUywvqMo/QwdvfrvG9rH+5/vk4Lfr65o26XP/YrhIa8gbzMuhEzevinupOngL5lBGbeWRvNpGa3t3rDNQ5bNFsuZzceWVdM2uzlw11VF+p6pkvRuraJbAUJENKlR7mfBMb8a3MAsJ3UCx9xsk37DlDPBGORqiz8cbV1S9TK7iqCkI0AT4a4Yre7lU4wZcubB8dwubYBpCdx7HMfqn/9EvMLFRAbeZV1fJ3pqidZuHLdTCFxUzXwXUh/OJiuFCUBsNmpSBDSQbA5IuZ9u5pcHEt1/WQeRqxI3c7zMW7P5i1VpmJVki1sObkY+U1NrYvOLbBa0d3B7CLEIzIfTVeY+PZnVpFXss6eARey3efZ7YEISJ3V5WorYC9/mCu/oB468NLPFveLDs32gprnrT6MJrcwcOOLXtyKWtajiorcablwHENxiwM7fv33OjyfLaJJ+VE4MdlULWpeTYMyiMX3pIm/NaPqzDoemdklq4ezuuW7eWOA8FSDnSyGJLtM+E07H7HhLZV51zCt2JpYutwkAR/ASdN8eMyLtfg0M+Gb+VhDO+8e9g9tGXiL+Vb8xbrsFu+h00wXGF4378XRrib4x/AqMbm+2wYddKcwINBALtWB6pSRrXazCsxqtX2vWMesJh5JAntidK3wjx+D8FhH8PWve1Yt5x59FusxTy5HnbMU8I8RBp3L4MxZNI32VgniX3Kpc1PQfEmBh+bqu7AmPFwo9wzzeNsg01ZYLSuR5wOZgmcLzO1zDs1bJWLtywGpUpLxpfAMlO2oIymcU5LTN9KpxiEH6mTHOVyf7MkZCqLmIoYX240egh3dFq2TO/z6bUVgxw3X4Pjpv73+DXodA5eg2P9b6fT6SzwbRDCX9v80zyGAZKYowCGbJT3iZ+jZLu1Fhq+ImLqhbDUeSG1+BWTYVJNW+NN/ChUGxzakLjmqfb2LWi3zZnmRhwainb9KHORa7WP6k31v8bxa9BMfh60X4M3b1qNVvtY/VB/1zf6rMwGh92DGTaAwnwo6GvP06rQ6CImnqON/wttwAhcfXl3DjK7P14Vp/4hfHA4tgEa7QksY+LlPOS/fwdJmSrSZa/mQw61NeUncOW806+gdutzdbIu83dS7OSSKMY/5YGdReyx9bVBJSfcw84xRL1YYIgDPDIW4cR+DEPs+ogSEVbkhTRbqdMjUiAvJLTc7/s0n900q58hLD9VSoPOKikNVPfZEBd6fiPPU80Ss24hoyXHIg7xBmy8lYz+m0mBnCNtdtDjuAEpzVo4jWsPEUUDE4eVz4SfkhXoQOis+lIqV1EIqH8LD8UItscrgGrnnJrVLkCDfEqdr82VPHPgmjn5WpeUK5jru82TPISm4kAikpzSKR+UNW01oYejgE3g7AeuTHYvCMpX8+dBANRNianJe50T7Wxdv5S0DxNg7NpsWUby8iL8O6jt173AxNPkb3tYhwnNxFXfnOvim/0Mr8rExx60bxIn+WmNSwO3cY4kujEcdFPu16r4JvGd15rkj8NCVHpCqYDyOeFqyja6DmB9kLZ6JPZpD7vLdYPqPh3HQvWvKs3o/rXVfQUIk82ku8mRTC/vFq7sPmMXUxlMMvlnfHompJqbRV/16byKos8yETNbrM3e3pIF3bxbct6T1ZEkxOB/wEFTTJ2/ivJcQDdZhNdgoPA9JJHHBlDDQDVw2MOehz2D4qCRoV6DpRUTmPaIsx5eqT52Y07kBK78hDT6cuUGOnp0YfXsDe3v2UBR2DDBng0US5Yk8HHmEUc8jd4As/SSlntThVdSy17BPui0xA1iIZUOTYb/e7FBhNwhGmBRSHyQ3kyegnk+b8HDtcK2F/ua/7yCz3e5099pGlRbckKsM/KwWIL08HW1UM8qOqJzLGCnS+GgswQOp3huXOrCp7FMzEdI/hbSXyy4jaW7sKUGVlnQnsfUcit3ngy2iZzzhLAx23GDXL7eOuyepGk0Kh62FWrYD9ntclfiAPkM5G48nkC/48HImsRgkdzZ3Rl3cvdc5O6Zu4Q+QzldEES8bTHtdiiMuiGM72yxErW9G6rK9vLOoDmxvCmRyxvFgDcLJDOtYJXNQuty6UyrWeXzpvbVDH0VT9GZgcRCL9bKXmLm9oydb0kt8z46uUBZ1fz7ZLe+gkqv83ypYnuPF0aKV+YVFqv8m6LOVz3eFLX+TBGPwpmSec0/U4GaJvlnKS0/T6n8nZvCDJCUpHNArsLMLKAF6tVTHFs9uXouc4V+Bur56NsY3vVCOOl6VVZRZQ4Gy11Qy3xIn93yq5hrrzBWiwKxj7Rwc7HyKNZZoDrmB53e+GOuGH9EhVHuAPwMVEbEh7B714KDpm3jlVvRlbjvvpDVQ/non/36wfoOL3stt9qbPHvK7FZ2P5aiLneAfwaK+jaQcNIZQQ9VChgu92Z/lmu00tHuVmm7Vdq05mMIf2kAwzMQ/sntLWSHd/C+WSloqzwa4XkKf9lod8K/E/5pzc0Iv4jQmGKvHJ4oqQiSiiBfcTNSnYWZoMFiqZ46k0zFomZYR4PJ5dgwx1Xzt3oab8hWOIXSs/ZlbdQrf7blVlqcgeRZG34r7bL8YW7pnWHpHWlvpNieUCI5CvvGE1aYgaeggPOvZL2TPsZACM41SiAE58r5/IDTYmv9wF4/LC9e/PVT2MK5pgbG0NqGz3am+aWcWhM7axg4RGtxOmZQkvBgKhhv34Ky+ctLlA7jBTesCHFM5Y+rrx9TS89n7shVXO4bJBFf7DR4jThA3PXJCK+cRuUh6rd1fJdUsjt3FllLaw/Ei6jIjjk91857Zqi11zV3A1Q4gS4LgrkJrjhZNmHymdLK2IMekqgaOUIkcbnT7WcdDwSMY2kBrToWhA4AAjJJ3Kxzoauix8yQELg21M5CjJXPhJz67Avh1/Ur1glbny6VgivarZM0nMp8PjOxVKOOnJiVikOoM+tjbUUFVpsSgMD19b+eLJIiJc5Je0nE/m49s1vP7NYzxfWMknC7q/hLCChaQYPFlOLAkRz1+8RN36Aw3+saaubQaZq4BH3Gx4h7qihL/JK03KzG8gMrlPkMuGtERkxS5LqkNk3end4cMCFrhRiB2YXBe7VaO1P/fK59nQWPTScpdVsIfza710xXn1U13d+5+mc8X1vX47W9vfbhb014+PX7Xvu3Jux8/d668b7/1oInX1/deK9u6n+96b36d+c/ta/ACmcr/FjKANcWDUZHwpkJTv3SHvKBhgyYf823GUZu2YCvzy478P27q+uLj2++X306+/XqVcnXIswjVD/S/NJZRjwqVO+vQc1HVKR/YdyLqYzVZWQYEdKB+dR99ecg4uxepyigA86Gxc+Z7BGmDzazAUjA6EEt+WP+NZoY1JI/38yfofmj9efXtY9QKi0/Do/aGXwzlKmMVZLd2MOjpbjtJtANKNl61OX6mNlC+eygHFi6DTX4hupF1L0UbUPNi7bydM4svZedbtpq8JjOlpfmX38ydI7DThfiEaYSSk4GA8yxVxntPeECbZtxBA76NvpPER10Qgy11JSqLuhzFgLpYx3jZXbjj8IYQ25T4nMWpbdv549p16bEqplDDrsd6BMPQ8Ql6SO3YrbwmOoj6qWbgGsfp3WfPJ56iqceWMhRnAqSMdYeKW66UvTTmnl/Y4G5k6IaSjmxi4iqVdg9jwgCiAINqq5GPsIgwdrYKFGaRxM4bB1Dl9hQL7AlyF2NFHl6TqV4rK4M7pXnqd+51LG5hevqIY4v/XjNdvqThW+er3/AsJJqbx3ooF9kDhZYTB/AsUkGvBU4Nqn5VByb4avi0hTHFo71sF5+ejjYcen6XLgs8efhQStD/kqOtqolw5oyYsg8Z5q71xlwFlvzseYYEnmeAY1SawsRewzkW22WCyWxmejw/0/d1e20jgPhV4lyddTdtE33AOJiL7ptgWopINqlQooUOck0NSSxcZyUrBDPvrKdtClNt79UOnfgeIwnM5ofO3zfKgBArot0sR+V58PoWt12Vz68Fr3O/8WW3KfnS6eqpUo8opcXVcOzKUCgH9xu7JZHjwIHNwMHUWrj0IvtJ9POyY2rHGIMjlbiq9HyqeBp/UF3mJolnuf4W1wDnVeddoqd19EsruNYaZG2xF+Qb14YUD5PWKAgRxq1RggcyVP7Bkbh4h/xS7tvKFKhH2si1yIQIorcKbRUO4ujdxlVOAldpGLYlHOZwz4+1kXBORgKndKavnHin5r+glJ0uKedKODMwPGYpKfa+BXAX4zMRMAZg9OVIif4HiDCtMKjqq4s5zb/1N0pIyEotaSVfXBfifq9lAcXYvOQoiSlCCF+AMZiQP6EVb6ZYAYT8n54VmmahsJu3IBTYl42CwJgQ7HgGRNJ8l7mp9rN7gr8xXYI4TYDH8ecZfYrZPYXENrlCKOkNCGlFVLaK2TbQ9fuhzrjv1VRfcbA68Uu6mLvpQOPm797z/btfad9aw/anZv+Xc8a3l+Nxu3HnjXALiMxmfACq0i7G1mdhAlvehK1JomsfoSvcAADRCmOfGv4PBz1BnUcYUsofwxAim0bZdNsGfL1Zkah7F6mdllGOfEZolPs2k5AJHqhrRbY3QeWltOK5fL9fLc/XJxXXVQf7g+dhVKZdd/vWgUD3SijoDXV82H/oRsEj/JoZ4j9CLwu4mgQ+6f0irOzP4w4cVJg3OAsyQFc2K63qcvOEUqcujy8Vhm/rZUmytKTEq6ScpBtj1W0n9En8dqvE77ASrk0EXUaEXWD6iRqHolEdxhACkE+xFDkkfDdMH3HoMif08TLy50k/I279MtIHAfLI+bqJHN1Vmt1Vqs0K8IuTBdceBnElMzgGOx2m4qIn5fnBoOYJMyFPQFNCwdKqIc47B5GlNxJk8nsrQqteN/g8SBeEYZ4Nav8I1U7ghm3DgpHSBWSDnV3MxaSJzVkCv8e0ZDbVAXjXM1fyqghVsW9yPZrq/uCrnV+Lp5ipI0H/e8y3UsV9nTFWdanLoOh3HdN/113QwUDWXUvudyHjUP8wNJh71Sokc2fF0b+MowFiKuEMWOS1XXbKv2/AAAA//9QSwcIgsxtSENdAACoHwMAUEsBAhQAFAAIAAgAAAAAAFtAK06SEwAAfRABAA0AAAAAAAAAAAAAAAAAAAAAAGN1c3RvbS5wb2xpY3lQSwECFAAUAAgACAAAAAAAgsxtSENdAACoHwMADgAAAAAAAAAAAAAAAADNEwAAZGVmYXVsdC5wb2xpY3lQSwUGAAAAAAIAAgB3AAAATHEAAAAA" }, "cookies": [], "headers": [ @@ -48,8 +48,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:08.816Z", - "time": 584 + "startedDateTime": "2025-10-02T12:40:36.247Z", + "time": 1064 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/frozen.json index ce1c6b6068e1..aa928b3df8ab 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:09.411Z" +"2025-10-02T12:40:37.317Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/recording.har index fc437b2ec914..1c6c40bf2574 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response_195270388/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "58b0e4278b1a941f43740f548704a50d", + "_id": "446cf99d3b06e9d4debfef1f66672880", "_order": 0, "cache": {}, "request": { @@ -21,18 +21,18 @@ "value": "application/json" } ], - "headersSize": 590, + "headersSize": 581, "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-def-ghi" }, "response": { - "bodySize": 25, + "bodySize": 71, "content": { "mimeType": "application/json", - "size": 25, - "text": "{\"errors\":[\"Not found\"]}\n" + "size": 71, + "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-def-ghi)\"]}" }, "cookies": [], "headers": [ @@ -41,14 +41,14 @@ "value": "application/json" } ], - "headersSize": 661, + "headersSize": 653, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:09.416Z", - "time": 307 + "startedDateTime": "2025-10-02T12:40:37.319Z", + "time": 457 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/frozen.json index bb3b10a2cbc0..bdcc5e9d68c1 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:09.727Z" +"2025-10-02T12:40:37.780Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/recording.har index 77cca5dc7c9b..cbb8f1f4a2ae 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response_3687195095/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "68f95447e73025ba1a4928c41592e64b", + "_id": "a0289f235851fe413403af9b0d6e07ca", "_order": 0, "cache": {}, "request": { @@ -32,7 +32,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1759408837\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" @@ -42,7 +42,7 @@ "content": { "mimeType": "application/json", "size": 640, - "text": "{\"data\":{\"id\":\"ser-ofz-4ms\",\"attributes\":{\"version\":1,\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1748341510125,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1748341510125,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "text": "{\"data\":{\"id\":\"ooo-7sa-mmk\",\"attributes\":{\"version\":1,\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1759408837\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1759408838222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1759408838222,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:09.728Z", - "time": 445 + "startedDateTime": "2025-10-02T12:40:37.782Z", + "time": 525 }, { - "_id": "6fbe4c4169d57f601163db5e2c06e287", + "_id": "78d1e5bbe34e5cf6b7dc0b040d44eb45", "_order": 0, "cache": {}, "request": { @@ -78,33 +78,33 @@ "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ser-ofz-4ms" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ooo-7sa-mmk" }, "response": { - "bodySize": 640, + "bodySize": 639, "content": { - "mimeType": "application/json", - "size": 640, - "text": "{\"data\":{\"id\":\"ser-ofz-4ms\",\"attributes\":{\"version\":1,\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1748341510125,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1748341510125,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "mimeType": "application/vnd.api+json", + "size": 639, + "text": "{\"data\":{\"id\":\"ooo-7sa-mmk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1759408838222,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1759408837\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1759408838222,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}}}" }, "cookies": [], "headers": [ { "name": "content-type", - "value": "application/json" + "value": "application/vnd.api+json" } ], - "headersSize": 686, + "headersSize": 662, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:10.179Z", - "time": 324 + "startedDateTime": "2025-10-02T12:40:38.311Z", + "time": 512 }, { - "_id": "8d34d34a25ea97114aaf47087023439c", + "_id": "1a31944aaba192b6041cb5c2b7be523f", "_order": 0, "cache": {}, "request": { @@ -121,7 +121,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ser-ofz-4ms" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ooo-7sa-mmk" }, "response": { "bodySize": 0, @@ -131,14 +131,14 @@ }, "cookies": [], "headers": [], - "headersSize": 633, + "headersSize": 632, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:10.511Z", - "time": 344 + "startedDateTime": "2025-10-02T12:40:38.826Z", + "time": 644 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/frozen.json index 33d211739ccc..5a8d9bf038bc 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:10.862Z" +"2025-10-02T12:40:39.474Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/recording.har index a9668576cb4d..cd29001cb03e 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response_1866284696/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "e22ee5d87a99d8d51774a5113be6b1d8", + "_id": "ae320517228c28f1da5c3d55176d9631", "_order": 0, "cache": {}, "request": { @@ -21,11 +21,11 @@ "value": "application/json" } ], - "headersSize": 562, + "headersSize": 553, "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-def-ghi" }, "response": { "bodySize": 44, @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:10.865Z", - "time": 365 + "startedDateTime": "2025-10-02T12:40:39.475Z", + "time": 630 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/frozen.json index bb47cdb9501b..0f91da981cfa 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/frozen.json @@ -1 +1 @@ -"2025-06-13T15:16:09.321Z" +"2025-10-02T12:40:40.107Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/recording.har index a71c3a2c230b..a4bd394eb574 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-agent-rule-returns-OK-response_1391231659/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "7f4903c984321315da73bf09308694d6", + "_id": "eb8e9da3180e55f1b8454f0854f704b2", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1749827769\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1759408840\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 443, + "bodySize": 439, "content": { "mimeType": "application/json", - "size": 443, - "text": "{\"data\":{\"id\":\"8ps-fwp-o64\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1749827769\",\"policyVersion\":\"1\",\"priority\":1000000013,\"ruleCount\":226,\"updateDate\":1749827769724,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 439, + "text": "{\"data\":{\"id\":\"2f4-u0b-db2\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1759408840\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408840513,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:09.325Z", - "time": 970 + "startedDateTime": "2025-10-02T12:40:40.109Z", + "time": 865 }, { - "_id": "ad8afea9afe52fb08abc94eaed4fee31", + "_id": "47e010c296ceca78fcf9a88bb7f441f2", "_order": 0, "cache": {}, "request": { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1749827769\",\"policy_id\":\"8ps-fwp-o64\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1759408840\",\"policy_id\":\"2f4-u0b-db2\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 676, + "bodySize": 694, "content": { "mimeType": "application/json", - "size": 676, - "text": "{\"data\":{\"id\":\"onw-c2u-mha\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1749827770435,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"8ps-fwp-o64\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1749827769\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1749827770435,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 694, + "text": "{\"data\":{\"id\":\"j2k-byy-lhj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\",\"inherited\":false},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408841358,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"2f4-u0b-db2\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1759408840\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1759408841358,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:10.300Z", - "time": 949 + "startedDateTime": "2025-10-02T12:40:40.977Z", + "time": 971 }, { - "_id": "03e03ae5e5fa0b6034dcedc539b6994d", + "_id": "8a34c84a422afb920737c48d9dbf3186", "_order": 0, "cache": {}, "request": { @@ -133,17 +133,17 @@ "queryString": [ { "name": "policy_id", - "value": "8ps-fwp-o64" + "value": "2f4-u0b-db2" } ], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/onw-c2u-mha?policy_id=8ps-fwp-o64" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/j2k-byy-lhj?policy_id=2f4-u0b-db2" }, "response": { - "bodySize": 676, + "bodySize": 694, "content": { "mimeType": "application/json", - "size": 676, - "text": "{\"data\":{\"id\":\"onw-c2u-mha\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1749827770435,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"8ps-fwp-o64\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1749827769\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1749827770435,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 694, + "text": "{\"data\":{\"id\":\"j2k-byy-lhj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\",\"inherited\":false},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408841358,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"2f4-u0b-db2\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1759408840\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1759408841358,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -158,11 +158,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:11.259Z", - "time": 597 + "startedDateTime": "2025-10-02T12:40:41.952Z", + "time": 692 }, { - "_id": "22c8428e293837ba6fc1c4fdb0cab0ed", + "_id": "70828cb75294407e5360ece44ce14802", "_order": 0, "cache": {}, "request": { @@ -179,7 +179,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/onw-c2u-mha" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/j2k-byy-lhj" }, "response": { "bodySize": 0, @@ -200,11 +200,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:11.863Z", - "time": 965 + "startedDateTime": "2025-10-02T12:40:42.647Z", + "time": 985 }, { - "_id": "77e02aac57a2df9f875d602d84a50c97", + "_id": "bdbd1bdd432a78a3bff6195b8502b046", "_order": 0, "cache": {}, "request": { @@ -221,7 +221,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/8ps-fwp-o64" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/2f4-u0b-db2" }, "response": { "bodySize": 0, @@ -242,8 +242,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:12.832Z", - "time": 1198 + "startedDateTime": "2025-10-02T12:40:43.635Z", + "time": 911 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/frozen.json index 0f7ea2b29d6b..05820a7f14b8 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:14.574Z" +"2025-10-02T12:40:44.548Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/recording.har index 1e3442c9d4e2..f34fd38694aa 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-Not-Found-response_1501957197/recording.har @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:14.577Z", - "time": 504 + "startedDateTime": "2025-10-02T12:40:44.550Z", + "time": 804 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/frozen.json index 72e2b54e668b..1af4c8925312 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:15.088Z" +"2025-10-02T12:40:45.358Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/recording.har index 3f4ff34e0d7d..c6ca3cf0ccca 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Workload-Protection-policy-returns-OK-response_2383804556/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "ef805071153a7496258a3082056602f9", + "_id": "d42bb9bcdd081aec5638a60357667fde", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1748341515\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1759408845\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 440, + "bodySize": 436, "content": { "mimeType": "application/json", - "size": 440, - "text": "{\"data\":{\"id\":\"xln-mmt-sy7\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1748341515\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341515373,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 436, + "text": "{\"data\":{\"id\":\"smg-qsp-kse\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1759408845\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408845738,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:15.093Z", - "time": 623 + "startedDateTime": "2025-10-02T12:40:45.360Z", + "time": 967 }, { - "_id": "d0b96a66672b03aa30df46e6b87492a9", + "_id": "8cefc6a1a6dfd903a7f1b1708fc98710", "_order": 0, "cache": {}, "request": { @@ -78,14 +78,14 @@ "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xln-mmt-sy7" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/smg-qsp-kse" }, "response": { - "bodySize": 440, + "bodySize": 436, "content": { "mimeType": "application/json", - "size": 440, - "text": "{\"data\":{\"id\":\"xln-mmt-sy7\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1748341515\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341515373,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 436, + "text": "{\"data\":{\"id\":\"smg-qsp-kse\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1759408845\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759408845738,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -100,11 +100,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:15.719Z", - "time": 450 + "startedDateTime": "2025-10-02T12:40:46.330Z", + "time": 685 }, { - "_id": "20377b4aff128aa8380013da6d6f6a62", + "_id": "e2368ce44063bc94aa7de6c329e7f5fe", "_order": 0, "cache": {}, "request": { @@ -121,7 +121,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xln-mmt-sy7" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/smg-qsp-kse" }, "response": { "bodySize": 0, @@ -142,8 +142,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:16.172Z", - "time": 562 + "startedDateTime": "2025-10-02T12:40:47.019Z", + "time": 1195 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/frozen.json index 821d9860e503..81b7a893a1fa 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/frozen.json @@ -1 +1 @@ -"2025-06-04T08:45:43.051Z" +"2025-10-02T12:40:48.217Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/recording.har index ff95ea6bc1ed..729b882f40f6 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response_4219831692/recording.har @@ -28,27 +28,27 @@ "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 271895, + "bodySize": 304081, "content": { - "mimeType": "application/json", - "size": 271895, - "text": "{\"data\":[{\"id\":\"h9w-1za-erv\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1742473059337,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1742473059978,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"khg-aab-9th\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1737245935950,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1737245936416,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ayg-ed4-gwq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KSDPb\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1730871736407,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1730871736407,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"om5-n7z-ike\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_qDgvU\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1727845578846,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1727845578846,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"6ae-6oo-ebo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_DBtCK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724855417119,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724855417119,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"z3p-vom-jnb\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724373425669,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724373425669,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"aum-fmk-2zi\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_sUVnW\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846828022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846828022,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8j1-gvj-zbg\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ipyRF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846816336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846816336,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgj-zek-ajo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_AszwF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718401086044,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718401086044,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bf0-bng-csr\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bVlLJ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718400725834,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718400725834,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qni-ngf-dzd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_tSfwV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716175452369,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716175452369,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qio-d0k-d3j\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_mABue\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716162686297,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716162686297,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fbo-ian-ijl\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VfQSV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713905359927,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713905359927,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1o7-fwy-pet\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_JAnCe\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713903379681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713903379681,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ug1-mbq-gkm\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KJInv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713902127183,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713902127183,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xvo-htm-wak\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_PkauG\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713901759732,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713901759732,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zfc-g0g-a8x\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_LPRxi\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pae-rpt-yni\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_CpDMZ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jwu-xbf-ic5\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_HfYXr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uew-oxg-b86\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_Tjzvu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wyn-ib7-f7o\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_fWORB\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mwk-g74-lbd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_XcxFr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rqa-io7-fwn\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bKkuv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n1x-qsa-p53\",\"attributes\":{\"version\":1,\"name\":\"windows_cryptominer_process\",\"description\":\"A cryptominer was potentially executed\",\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1712079129574,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rws-z9b-qjv\",\"attributes\":{\"version\":1,\"name\":\"ransomware_note\",\"description\":\"Possible ransomware note created under common user directories\",\"expression\":\"open.flags & O_CREAT > 0\\n&& open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n&& open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] && open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644650371,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pqp-0vs-cmu\",\"attributes\":{\"version\":1,\"name\":\"ssh_it_tool_config_write\",\"description\":\"The configuration directory for an ssh worm\",\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644642969,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tkp-w9m-vzp\",\"attributes\":{\"version\":1,\"name\":\"safeboot_modification\",\"description\":\"Safeboot registry modified\",\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644635093,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8be-hej-nf2\",\"attributes\":{\"version\":3,\"name\":\"ps_discovery\",\"description\":\"Processes were listed using the ps command\",\"expression\":\"exec.comm == \\\"ps\\\" && exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] && process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] && process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644627589,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wn9-9vf-8be\",\"attributes\":{\"version\":1,\"name\":\"mount_proc_hide\",\"description\":\"Process hidden using mount\",\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644623109,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"upj-muh-hms\",\"attributes\":{\"version\":2,\"name\":\"chatroom_request\",\"description\":\"A DNS request was made for a chatroom domain\",\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644612626,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gnz-81e-6lg\",\"attributes\":{\"version\":1,\"name\":\"cryptominer_envs\",\"description\":\"Process environment variables match cryptocurrency miner\",\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644602654,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7da-gwx-c3l\",\"attributes\":{\"version\":2,\"name\":\"auditctl_usage\",\"description\":\"The auditctl command was used to modify auditd\",\"expression\":\"exec.file.name == \\\"auditctl\\\" && exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644592613,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8jg-xym-vqz\",\"attributes\":{\"version\":1,\"name\":\"jupyter_shell_execution\",\"description\":\"A Jupyter notebook executed a shell\",\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) && process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644590883,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9ih-87r-xrp\",\"attributes\":{\"version\":1,\"name\":\"registry_runkey_modified\",\"description\":\"A Registry runkey has been modified\",\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644584412,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"msb-ai6-ua5\",\"attributes\":{\"version\":2,\"name\":\"tunnel_traffic\",\"description\":\"Tunneling or port forwarding tool used\",\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") && process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] && process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] && process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" && process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" && process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] && process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644574925,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6fr-csu-axm\",\"attributes\":{\"version\":7,\"name\":\"k8s_pod_service_account_token_accessed\",\"description\":\"The Kubernetes pod service account token was accessed\",\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] && process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644571787,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"30s-pi8-9b4\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a9q-iyx-gfu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hlq-w7y-5tg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"lj4-ina-ue2\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"qlz-mcu-d2k\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bmx-go6-0lz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bk0-mpb-ii8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0xw-wbm-pel\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"nvt-eoh-yiz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dc5-hba-20b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"asb-kqf-vex\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yzx-ia6-bdh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uo-x9p-tmb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"kan-5ki-wau\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ggb-h3r-t7d\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"y4n-8gx-m3n\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xsf-ugy-cfq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"btr-btz-zif\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"jnw-ija-az5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"6v0-shq-8gm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yrv-svq-9nz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9s9-wui-t8c\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"krm-ssv-tn5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"uiu-6vz-z2h\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"eej-oup-jwu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ltv-fla-wb0\",\"attributes\":{\"version\":1,\"name\":\"ntds_in_commandline\",\"description\":\"NTDS file referenced in commandline\",\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"uuf-w3c-u9q\",\"attributes\":{\"version\":1,\"name\":\"scheduled_task_creation\",\"description\":\"A scheduled task was created\",\"expression\":\"exec.file.name in [\\\"at.exe\\\",\\\"schtasks.exe\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nyc-gfz-yr5\",\"attributes\":{\"version\":5,\"name\":\"nsswitch_conf_mod_chown\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1704404477785,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bm8-j5w-xfv\",\"attributes\":{\"version\":3,\"name\":\"suspicious_suid_execution\",\"description\":\"Recently written or modified suid file has been executed\",\"expression\":\"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \\\"\\\" && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404469455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"phy-tco-k7w\",\"attributes\":{\"version\":6,\"name\":\"database_shell_execution\",\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n!(process.parent.file.name == \\\"initdb\\\" &&\\nexec.args == \\\"-c locale -a\\\") &&\\n!(process.parent.file.name == \\\"postgres\\\" &&\\nexec.args == ~\\\"*pg_wal*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069155,\"updateDate\":1704404453620,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7x1-glr-ofl\",\"attributes\":{\"version\":2,\"name\":\"credential_modified_open_v2\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404453617,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jjg-cwd-bi8\",\"attributes\":{\"version\":2,\"name\":\"pci_11_5_critical_binaries_open_v2\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404449335,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqb-wq9-xzq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_jcvqK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"sqx-azd-ia2\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ivMAv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"83g-jde-hyc\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hyg-8q3-gme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bn3-we8-cxn\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"goh-6ij-cpa\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"he7-cho-9th\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"pj5-9wo-0ny\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dmd-ens-omw\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"8ft-wcs-sok\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-fm3-ilm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cxv-wyz-udh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"7ro-vjj-hqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uf-mai-edh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"e2t-sos-sgs\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"joz-phu-bj6\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9gx-e5x-wxl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cmg-7ok-iws\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"fc2-mmz-xme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cw4-gei-lqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"djb-5it-syy\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"2be-cfa-xhr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5dp-tcj-tbm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a0m-zaf-0a8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"erx-pyz-xft\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ydh-fsm-slz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5pp-60h-keq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xyn-fkc-osi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"llg-x6t-jjq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"q1s-ejx-xq3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"zw4-cad-dro\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rik-8jl-7nr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"vih-vom-ryl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"mhl-gkn-bun\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_unlink\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699614659146,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"j3f-cie-47b\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_from_memory\",\"description\":\"A kernel module was loaded from memory\",\"expression\":\"load_module.loaded_from_memory == true\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718630,\"updateDate\":1699614659145,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"my1-vln-8fq\",\"attributes\":{\"version\":3,\"name\":\"cryptominer_args\",\"description\":\"A process launched with arguments associated with cryptominers\",\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614656177,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"us6-p6v-hbj\",\"attributes\":{\"version\":2,\"name\":\"tar_execution\",\"description\":\"Tar archive created\",\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" && exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614655670,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vky-y2i-mvh\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution_parent\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.parent.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614653571,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohe-vlf-t2h\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chown\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1699614645120,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"abo-w0g-emz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yyr-62t-pwg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"s87-olo-akk\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hqc-ilw-6pg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5ik-iyy-ry4\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0mj-ptm-mcq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"awr-mtg-lce\",\"attributes\":{\"version\":1,\"name\":\"offensive_k8s_tool\",\"description\":\"A known kubernetes pentesting tool has been executed\",\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] && (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605598275,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qng-psi-j15\",\"attributes\":{\"version\":5,\"name\":\"runc_modification\",\"description\":\"The runc binary was modified in a non-standard way\",\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392837049,\"updateDate\":1699605592780,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vlh-msh-elx\",\"attributes\":{\"version\":1,\"name\":\"redis_save_module\",\"description\":\"Redis module has been created\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) && process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605590262,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"i0s-yb1-hnl\",\"attributes\":{\"version\":4,\"name\":\"net_util_exfiltration\",\"description\":\"Exfiltration attempt via network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605585597,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki7-koc-icf\",\"attributes\":{\"version\":2,\"name\":\"apparmor_modified_tty\",\"description\":\"An AppArmor profile was modified in an interactive session\",\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] && exec.tty_name !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836162,\"updateDate\":1699605581360,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kzh-5hn-edg\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chmod\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605577106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rm1-b8h-cec\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_link\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605575176,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zk5-jeo-579\",\"attributes\":{\"version\":2,\"name\":\"rc_scripts_modified\",\"description\":\"RC scripts modified\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605566454,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"je9-er4-njy\",\"attributes\":{\"version\":2,\"name\":\"selinux_disable_enforcement\",\"description\":\"SELinux enforcement status was disabled\",\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] && process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1635332067172,\"updateDate\":1699605560892,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yly-big-wfq\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chown\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605558253,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6ef-efv-07c\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_utimes\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605550430,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"1vg-wvn-jeo\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_rename\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605548906,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"332-1wp-nhi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pn7-9wx-enb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zag-uxd-4rh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gj1-f5n-atq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xoa-393-gtb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wib-odd-eos\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zi0-hgn-9ec\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"oce-aqj-x6b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cdt-p7e-q1b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wgo-mps-djd\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"odr-ipk-wvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nb1-dkb-bwz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t2g-qma-f5b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pwg-71z-aob\",\"attributes\":{\"version\":1,\"name\":\"ssl_certificate_tampering_open_v2\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\\n&& container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748504240,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zuq-yfd-hun\",\"attributes\":{\"version\":1,\"name\":\"deploy_priv_container\",\"description\":\"A privileged container was created\",\"expression\":\"exec.file.name != \\\"\\\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748488881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ayp-cd9-j3f\",\"attributes\":{\"version\":1,\"name\":\"network_sniffing_tool\",\"description\":\"Local account groups were enumerated after container start up\",\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748485348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"x3k-0en-bhm\",\"attributes\":{\"version\":1,\"name\":\"ssh_authorized_keys_open_v2\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kmx-s3s-htb\",\"attributes\":{\"version\":1,\"name\":\"nsswitch_conf_mod_open_v2\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480617,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdh-b1k-i0e\",\"attributes\":{\"version\":1,\"name\":\"suid_file_execution\",\"description\":\"a SUID file was executed\",\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \\\"/usr/bin/sudo\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479473,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqu-01q-fmr\",\"attributes\":{\"version\":1,\"name\":\"net_util_in_container_v2\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] && container.created_at > 180s\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479210,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"igw-lex-dzw\",\"attributes\":{\"version\":1,\"name\":\"hidden_file_executed\",\"description\":\"A hidden file was executed in a suspicious folder\",\"expression\":\"exec.file.name =~ \\\".*\\\" && exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474266,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ixh-tff-n0g\",\"attributes\":{\"version\":1,\"name\":\"shell_profile_modification\",\"description\":\"Shell profile was modified\",\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474208,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"84k-f4f-yx8\",\"attributes\":{\"version\":4,\"name\":\"python_cli_code\",\"description\":\"Python code was provided on the command line\",\"expression\":\"exec.file.name == ~\\\"python*\\\" && exec.args_flags in [\\\"c\\\"] && exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", \\\"*-c*/bash*\\\", \\\"*-c*/bin/sh*\\\", \\\"*-c*pty.spawn*\\\"] && exec.args !~ \\\"*setuptools*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748470573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-ylu-udm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tfj-qbi-njb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"otj-idk-ece\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"l88-cpw-jvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kcw-scc-5ve\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lg7-iv9-wts\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_utimes\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185006444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lxo-jgz-gtv\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chown\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185001787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vu4-g2z-6yx\",\"attributes\":{\"version\":1,\"name\":\"user_deleted_tty\",\"description\":\"A user was deleted via an interactive session\",\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185000708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"dgj-0mh-asf\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_unlink\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996909,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6t0-pxf-oag\",\"attributes\":{\"version\":1,\"name\":\"curl_docker_socket\",\"description\":\"The Docker socket was referenced in a cURL command\",\"expression\":\"exec.file.name == \\\"curl\\\" && exec.args_flags in [\\\"unix-socket\\\"] && exec.args in [\\\"*docker.sock*\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996292,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"07x-ilo-vbw\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_rename\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184995498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vbb-8oz-uj8\",\"attributes\":{\"version\":1,\"name\":\"read_release_info\",\"description\":\"OS information was read from the /etc/lsb-release file\",\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" && open.flags & O_RDONLY > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184994303,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hxb-abz-bnu\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chmod\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184993817,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wxp-zv6-mdg\",\"attributes\":{\"version\":1,\"name\":\"kmod_list\",\"description\":\"Kernel modules were listed using the kmod command\",\"expression\":\"exec.comm == \\\"kmod\\\" && exec.args in [~\\\"*list*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0on-nzp-luo\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_open\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"\\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n(open.file.path == \\\"/etc/sudoers\\\")) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rsp-g6i-jdi\",\"attributes\":{\"version\":1,\"name\":\"service_stop\",\"description\":\"systemctl used to stop a service\",\"expression\":\"exec.file.name == \\\"systemctl\\\" && exec.args in [~\\\"*stop*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184991238,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"d5p-vk6-w0f\",\"attributes\":{\"version\":1,\"name\":\"exec_lsmod\",\"description\":\"Kernel modules were listed using the lsmod command\",\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184990877,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ich-3ke-cor\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_link\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184985910,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zdy-kcq-q0v\",\"attributes\":{\"version\":1,\"name\":\"read_kubeconfig\",\"description\":\"The kubeconfig file was accessed\",\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184984191,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yij-lei-ykx\",\"attributes\":{\"version\":1,\"name\":\"exec_whoami\",\"description\":\"The whoami command was executed\",\"expression\":\"exec.comm == \\\"whoami\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184982050,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fjh-jmi-fbi\",\"attributes\":{\"version\":1,\"name\":\"auditd_rule_file_modified\",\"description\":\"The auditd rules file was modified without using auditctl\",\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490457848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"div-3ym-esz\",\"attributes\":{\"version\":1,\"name\":\"auditd_config_modified\",\"description\":\"The auditd configuration file was modified without using auditctl\",\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453830,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"swo-jyw-vtb\",\"attributes\":{\"version\":5,\"name\":\"aws_eks_service_account_token_accessed\",\"description\":\"The AWS EKS service account token was accessed\",\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453789,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2p0-3i2-b4y\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_open\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490451189,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ybu-yya-acz\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chmod\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.mode != chmod.file.destination.mode\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490448291,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kek-yib-peb\",\"attributes\":{\"version\":2,\"name\":\"shell_history_deleted\",\"description\":\"Shell History was Deleted\",\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") && process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490445819,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"w07-amm-bxr\",\"attributes\":{\"version\":10,\"name\":\"ssl_certificate_tampering_utimes\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490443753,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pti-xku-k7y\",\"attributes\":{\"version\":3,\"name\":\"shell_history_truncated\",\"description\":\"Shell History was Deleted\",\"expression\":\"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" && open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] && process.file.name == \\\"truncate\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490441112,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jin-icc-lpi\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_unlink\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490440557,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aby-cmp-yrd\",\"attributes\":{\"version\":2,\"name\":\"dynamic_linker_config_write\",\"description\":\"A process wrote to a dynamic linker config file\",\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", \\\"/etc/ld.so.conf.d/*.conf\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490436787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7nq-ugi-gu1\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_link\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.name !~ \\\"runc*\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490436302,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qzs-yvl-f4t\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_rename\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490435881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9hn-ukg-ek1\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ulc-8ym-1ch\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zja-jqt-rpm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"2ov-h11-m4w\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"shb-0xv-eib\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"psp-nbn-dtg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mcq-6by-989\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tci-5f7-cis\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mey-lit-gzs\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4ve-rws-nw0\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9aa-y0q-rrc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tvd-3p1-cai\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"asy-mod-zmt\",\"attributes\":{\"version\":5,\"name\":\"user_created_tty\",\"description\":\"A user was created via an interactive session\",\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && exec.args_flags not in [\\\"D\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836979,\"updateDate\":1677793421528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rek-wb4-s7y\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_rename\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793418528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"4fh-bb7-747\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chmod\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793414173,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yiy-mba-pny\",\"attributes\":{\"version\":5,\"name\":\"common_net_intrusion_util\",\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] && exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067554,\"updateDate\":1677793413474,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3tj-btx-kvo\",\"attributes\":{\"version\":5,\"name\":\"package_management_in_container\",\"description\":\"Package management was detected in a container\",\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067648,\"updateDate\":1677793413044,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"oio-i4o-xzw\",\"attributes\":{\"version\":1,\"name\":\"tty_shell_in_container\",\"description\":\"A shell with a TTY was executed in a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && process.tty_name != \\\"\\\" && process.container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412844,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qdc-oqx-zsx\",\"attributes\":{\"version\":8,\"name\":\"systemd_modification_chown\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412379,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pwh-omk-qrr\",\"attributes\":{\"version\":3,\"name\":\"new_binary_execution_in_container\",\"description\":\"A container executed a new binary not found in the container image\",\"expression\":\"container.id != \\\"\\\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1652129906455,\"updateDate\":1677793412378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bgs-kbk-xkh\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_link\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412375,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tmh-now-e61\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_open\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1677793410974,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kxs-kt6-5gt\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_unlink\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793406609,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohp-ags-xpk\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_utimes\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1677793405837,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"t8w-eul-chf\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_utimes\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793405627,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ay7-jkz-rda\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_unlink\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793404797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fpw-paa-smb\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_utimes\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"c4t-pxu-ixk\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_unlink\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402725,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ec9-vff-7ni\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_link\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793401708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"r5z-tke-sjm\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_link\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793401181,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"eoy-4fe-q7q\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chown\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793399502,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cd0-w8q-vl4\",\"attributes\":{\"version\":11,\"name\":\"kernel_module_chown\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793397722,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bw8-80r-qih\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_BAiZP\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mpb-1rj-dv6\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_rename\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793394010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ac4-asc-qi4\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_rename\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793391290,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gtx-vpl-ror\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_lszUX\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xye-pfo-y0r\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_open\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486423764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cmu-g58-cau\",\"attributes\":{\"version\":6,\"name\":\"cron_at_job_creation_rename\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486423628,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sna-hgh-vo4\",\"attributes\":{\"version\":3,\"name\":\"dynamic_linker_config_unlink\",\"description\":\"A process unlinked a dynamic linker config file\",\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486422738,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"efc-svz-7hu\",\"attributes\":{\"version\":1,\"name\":\"potential_web_shell_parent\",\"description\":\"A web application spawned a shell or shell utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486413493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tna-ty5-e7c\",\"attributes\":{\"version\":1,\"name\":\"mount_host_fs\",\"description\":\"The host file system was mounted in a container\",\"expression\":\"mount.source.path == \\\"/\\\" && mount.fs_type != \\\"overlay\\\" && container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486412444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygi-ozn-m5d\",\"attributes\":{\"version\":1,\"name\":\"memfd_create\",\"description\":\"memfd object created\",\"expression\":\"exec.file.name =~ \\\"memfd*\\\" && exec.file.path == \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486411993,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nlp-lzc-rcf\",\"attributes\":{\"version\":5,\"name\":\"systemd_modification_open\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486408888,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"avt-p2e-fyc\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_chmod\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486407158,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ipa-v3l-kt6\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chmod\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.file.destination.mode != chmod.file.mode\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406983,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3xl-qds-f0e\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chown\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406776,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0gu-pqy-o1a\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_link\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406604,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygn-d8o-ncr\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_utimes\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406387,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"psd-3el-h33\",\"attributes\":{\"version\":9,\"name\":\"credential_modified_utimes\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1674486406248,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"atu-tci-bjn\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_unlink\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486405229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-dqu-jly\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_open\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486404864,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kuu-k1s-gqz\",\"attributes\":{\"version\":6,\"name\":\"systemd_modification_chmod\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486404846,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hnh-eio-mow\",\"attributes\":{\"version\":2,\"name\":\"ptrace_antidebug\",\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"expression\":\"ptrace.request == PTRACE_TRACEME && process.file.name != \\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718435,\"updateDate\":1670604150759,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"f5y-pdn-pnj\",\"attributes\":{\"version\":4,\"name\":\"kernel_module_load\",\"description\":\"A kernel module was loaded\",\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] && process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718458,\"updateDate\":1670604150549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ddh-ld5-2rj\",\"attributes\":{\"version\":1,\"name\":\"aws_imds\",\"description\":\"An AWS IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"enj-kdc-1tt\",\"attributes\":{\"version\":1,\"name\":\"net_file_download\",\"description\":\"A suspicious file was written by a network utility\",\"expression\":\"open.flags & O_CREAT > 0 && process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150067,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wew-y1h-1um\",\"attributes\":{\"version\":1,\"name\":\"compile_after_delivery\",\"description\":\"A compiler wrote a suspicious file in a container\",\"expression\":\"open.flags & O_CREAT > 0\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n&& (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n&& process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n&& container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150062,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ct9-og0-h7h\",\"attributes\":{\"version\":1,\"name\":\"net_unusual_request\",\"description\":\"Network utility executed with suspicious URI\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150059,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9dx-svj-apj\",\"attributes\":{\"version\":1,\"name\":\"azure_imds\",\"description\":\"An Azure IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150058,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sah-xju-jcq\",\"attributes\":{\"version\":1,\"name\":\"gcp_imds\",\"description\":\"An GCP IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150002,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"mmk-0g6-4qu\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VxNSK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uze-gr4-sfh\",\"attributes\":{\"version\":1,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgd-dmc-zta\",\"attributes\":{\"version\":1,\"name\":\"interactive_shell_in_container\",\"description\":\"An interactive shell was started inside of a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && exec.args_flags in [\\\"i\\\"] && container.id !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1666888169595,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3lt-gov-2yu\",\"attributes\":{\"version\":4,\"name\":\"net_util\",\"description\":\"A network utility was executed\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id == \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1642158534952,\"updateDate\":1666888163498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jx4-pkv-247\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_attempt\",\"description\":\"Potential Dirty pipe exploitation attempt\",\"expression\":\"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123603,\"updateDate\":1666888163347,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ifl-wfe-sch\",\"attributes\":{\"version\":6,\"name\":\"net_util_in_container\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068439,\"updateDate\":1666888163319,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aux-r7v-odv\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_exploitation\",\"description\":\"Potential Dirty pipe exploitation\",\"expression\":\"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123563,\"updateDate\":1666888163318,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vri-cjo-ywh\",\"attributes\":{\"version\":2,\"name\":\"pwnkit_privilege_escalation\",\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" && exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] && exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] && exec.uid != 0)\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1643639113864,\"updateDate\":1666888163135,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ejk-rbu-v9x\",\"attributes\":{\"version\":3,\"name\":\"passwd_execution\",\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] && exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068383,\"updateDate\":1666888162106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pej-frv-8lb\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.ancestors.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069224,\"updateDate\":1666888161764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-jd2-obf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_cdxqn\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xae-nwo-v33\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_iNwDw\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvp-ggu-cvk\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vx9-lii-nnm\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xur-uya-vqn\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"96x-aqb-3yh\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_RMoJm\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"smc-exb-ymp\",\"attributes\":{\"version\":1,\"name\":\"ld_preload_unusual_library_path\",\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\" ,~\\\"LD_PRELOAD=/dev/shm/*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1665475122471,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fak-u9s-pac\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chown\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475121157,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki2-nwj-sot\",\"attributes\":{\"version\":4,\"name\":\"nsswitch_conf_mod_chmod\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1665475120054,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"12k-ui3-z4h\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chmod\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475102566,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ien-7aw-blw\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chown\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475102281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vqc-lta-u8c\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chmod\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475100348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m1y-sk8-b4c\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_xkrhu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"19v-30b-0xf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ehj-52q-wq0\",\"attributes\":{\"version\":1,\"name\":\"shell_history_symlink\",\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"expression\":\"exec.comm == \\\"ln\\\" && exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1661193980229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gp1-mai-dlc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_us1_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ai3-b8g-lbc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tmz-dqc-yml\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ez9-ozl-3lz\",\"attributes\":{\"version\":2,\"name\":\"potential_cryptominer\",\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1658502077556,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tef-sab-thr\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wup-o5b-tjo\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"c3v-vla-rev\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yel-nbl-2pj\",\"attributes\":{\"version\":1,\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rp0-hmk-9c1\",\"attributes\":{\"version\":1,\"name\":\"ip_check_domain\",\"description\":\"A DNS lookup was done for a IP check service\",\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020337230,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"q7y-2ci-hkh\",\"attributes\":{\"version\":1,\"name\":\"paste_site\",\"description\":\"A DNS lookup was done for a pastebin-like site\",\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020335889,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ntj-rfs-mw3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dyn-u7u-v86\",\"attributes\":{\"version\":2,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mlg-yxw-uig\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lq3-t6t-xng\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1hp-hpr-4ez\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mt3-pks-n5s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"r4a-yvz-rj7\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5k1-gwi-0aq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lkj-jnq-r6s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mbc-iwk-zpb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fzb-lli-m26\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9mk-xxe-lpw\",\"attributes\":{\"version\":2,\"name\":\"suspicious_container_client\",\"description\":\"A container management utility was executed in a container\",\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068555,\"updateDate\":1651671394200,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ieg-lmk-cgo\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_container\",\"description\":\"A container loaded a new kernel module\",\"expression\":\"load_module.name != \\\"\\\" && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718705,\"updateDate\":1650371511241,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lzx-kkv-at3\",\"attributes\":{\"version\":1,\"name\":\"ptrace_injection\",\"description\":\"A process attempted to inject code into another process\",\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718540,\"updateDate\":1650293789265,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"foo-pve-qbq\",\"attributes\":{\"version\":1,\"name\":\"kernel_module_load_from_memory_container\",\"description\":\"A kernel module was loaded from memory inside a container\",\"expression\":\"load_module.loaded_from_memory == true && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718365,\"updateDate\":1650293788418,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"irg-o45-pxz\",\"attributes\":{\"version\":3,\"name\":\"example_agent_rule\",\"description\":\"An example agent rule generated in terraform\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rsy-7jg-hqm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m39-rre-anw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4wd-unc-xof\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jhk-qpj-jlt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ruf-aic-d4j\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jtf-zrn-0ph\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ijz-1cz-bms\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"21m-gs8-p43\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"in7-ydq-pbw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"v8v-sem-rmg\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kox-qtp-cbn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"thp-evn-3gr\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hx6-v0z-9gk\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n8j-9n3-urm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tkl-mjf-is5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"up2-fhh-bc8\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vdu-0rd-lnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dfb-wz2-0ka\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"7vz-wdj-vwc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qls-upn-1vc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rxo-lya-bqu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dm3-ip4-rza\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rzs-ccq-4qm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wa9-zm8-8ds\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"alm-sgy-vz3\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dls-vo9-rqx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fyz-u20-nvn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nqv-0et-fcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7v-36z-wue\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"y2z-ffa-zys\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cym-1zi-nnd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ip9-wgt-q3k\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t9d-zbo-2nw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kaw-0h7-dji\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m4i-otg-jnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"heh-lnh-xwm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cwa-5rh-qtd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"e5l-xtx-hmi\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ebx-lyj-r3a\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xac-4if-49b\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dh6-bdu-8v0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hkd-6dr-ify\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bsx-fod-0xj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8jt-x9p-yoy\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rhd-qao-dub\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"j0f-fhi-ab7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvn-u2c-xm4\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ldn-agb-3fl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cyr-g7t-to0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wnm-xkk-mat\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"moo-kuq-zbt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wzs-moc-ji9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uw2-d3y-5h6\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fez-txs-qf9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fga-mna-xej\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"iyn-7sl-swn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"p3w-qyi-pbo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yyt-sfa-fck\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5z7-fqq-siu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ivz-amj-yl7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lyv-3xn-qch\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fpt-c7o-ipx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tap-fek-5kw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7b-x0z-cbe\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hhe-gcm-vjl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nt9-5fe-de1\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pj0-bcy-euh\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rm5-px4-iua\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cqz-7pc-ajz\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hot-prj-df5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"q7n-lvv-4au\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gly-5wu-uny\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"umz-fjl-7qq\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"spq-5f8-isw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dul-hdz-xmo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n94-q2a-co9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"x1n-wra-hdt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kgt-kcc-tnu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"znp-dul-gcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ily-tsr-dtj\",\"attributes\":{\"version\":1,\"name\":\"compiler_in_container\",\"description\":\"Compiler Executed in Container\",\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" && exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) && container.id !=\\\"\\\" && process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836759,\"updateDate\":1636729662344,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jl5-wjt-58e\",\"attributes\":{\"version\":1,\"name\":\"aws_metadata_service\",\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] && exec.args in [~\\\"*169.254.169.254*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836096,\"updateDate\":1629226276630,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8ol-dkr-aml\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_link\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdf-wvb-c3k\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_open\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pkn-azw-qia\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_rename\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wpt-ba8-mpd\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_unlink\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7ud-d2o-qgo\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_utimes\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"za8-uxc-jxk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_link\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" && (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nej-iw4-adk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_open\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name == \\\"authorized_keys\\\" && (open.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tiz-yss-zhq\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_rename\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"apr-zj4-ee1\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_unlink\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yhq-etl-wr6\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_utimes\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m8i-uhr-aoq\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_link\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"adl-qjr-lyg\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_open\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2fy-aqt-8mz\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_rename\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ei7-n5e-rvv\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_unlink\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"}]}\n" + "mimeType": "application/vnd.api+json", + "size": 304081, + "text": "{\"data\":[{\"id\":\"rlu-e6g-9lc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"service_new_cgroup_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from new service cgroup\",\"enabled\":true,\"expression\":\"(exec.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [~\\\"service_*\\\"] \\u0026\\u0026 process.cgroup.id != process.parent.cgroup.id\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_service_new_cgroup\",\"updateDate\":1758821704744,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"5u4-9yp-qzj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"cgroup_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from cgroup\",\"enabled\":true,\"expression\":\"exec.cgroup.id != process.parent.cgroup.id \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_cgroup\",\"updateDate\":1758821602050,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"4ev-hmm-maa\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"interactive_shell_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from interactive shell\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 (process.tty_name != \\\"\\\" || exec.args_flags in [\\\"i\\\"]) \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\", ~\\\"service_*\\\", ~\\\"service_new_cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_interactive_shell\",\"updateDate\":1758821602039,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"oom-s2e-cik\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"auid_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from auid\",\"enabled\":true,\"expression\":\"exec.auid \\u003e= 0 \\u0026\\u0026 exec.auid != AUDIT_AUID_UNSET \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_auid\",\"updateDate\":1758821601623,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"pbi-dxy-kcf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"field\":\"container.id\",\"name\":\"core_pattern_write_container_id\",\"scope\":\"container\",\"ttl\":\"30m\"}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detect any attempt to modify /proc/sys/kernel/core_pattern from a container, which might result to escape to host when a core dump is triggered.\",\"enabled\":true,\"expression\":\"open.file.name == \\\"core_pattern\\\" \\u0026\\u0026\\nopen.file.filesystem == \\\"proc\\\" \\u0026\\u0026\\nopen.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 \\ncontainer.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"core_pattern_write\",\"updateDate\":1758821600663,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"clu-w0v-xue\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_AUDIT variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"process.envs in [\\\"LD_AUDIT\\\"] \\u0026\\u0026 \\n(\\n mmap.file.path in [~\\\"/home/*\\\", ~\\\"/tmp/*\\\", ~\\\"/dev/shm/*\\\"] || \\n mmap.file.in_upper_layer == true\\n) \\u0026\\u0026\\nmmap.protection \\u0026 (PROT_EXEC) \\u003e 0 \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_audit_unusual_library_path\",\"updateDate\":1758821600445,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"vay-3e5-8rx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a paste site\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port in [80, 443]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site_domain\",\"updateDate\":1758821600423,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"f2e-rwu-xk1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\",\"scope_field\":\"cgroup_write.pid\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"cgroup_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\",\"scope_field\":\"cgroup_write.pid\"}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from cgroup write\",\"enabled\":true,\"expression\":\"cgroup_write.pid \\u003e 0 \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_cgroup_write\",\"updateDate\":1758821487905,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"vjy-zww-l4n\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\",\"scope_field\":\"cgroup_write.pid\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"service_new_cgroup_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\",\"scope_field\":\"cgroup_write.pid\"}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from new service cgroup write\",\"enabled\":true,\"expression\":\"cgroup_write.pid \\u003e 0 \\u0026\\u0026 (process.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [~\\\"service_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_service_new_cgroup_write\",\"updateDate\":1758821487905,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"f3b-103-7p3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a cryptocurrency mining pool\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port not in [53, 80, 443]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_domain\",\"updateDate\":1758821487681,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"lp4-x68-ekq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"k8s_session_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from k8s user session\",\"enabled\":true,\"expression\":\"exec.user_session.k8s_username != \\\"\\\" \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\", ~\\\"service_*\\\", ~\\\"service_new_cgroup_*\\\", ~\\\"interactive_shell_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_k8s_usersession_entrypoint\",\"updateDate\":1758821487471,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"mps-sso-ozk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container performed various enumeration activities including checking container runtime, process privileges, user namespace mappings, Linux Security Modules, mount points, and network namespaces.\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 (\\n open.file.path in [~\\\"/run/systemd/container\\\"] ||\\n open.file.path in [~\\\"/proc/*/status\\\", ~\\\"/proc/*/task/*/status\\\"] ||\\n (open.file.path in [~\\\"/proc/*/uid_map\\\"] \\u0026\\u0026 process.file.name not in [\\\"runc\\\"]) ||\\n open.file.path in [~\\\"/proc/*/attr/current\\\"] ||\\n open.file.path in [~\\\"/proc/*/mountinfo\\\"] ||\\n open.file.path in [~\\\"/proc/*/cgroup\\\"] ||\\n open.file.path in [~\\\"/proc/net/unix\\\"]\\n) \\u0026\\u0026\\nprocess.file.in_upper_layer \\u0026\\u0026 \\nprocess.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"container_breakout_enumeration_tool\",\"updateDate\":1758821487213,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"sgo-0ij-wgo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"default_value\":\"\",\"expression\":\"${process.correlation_key}\",\"inherited\":true,\"name\":\"parent_correlation_keys\",\"scope\":\"process\"},\"filter\":\"${process.correlation_key} != \\\"\\\"\"},{\"set\":{\"default_value\":\"\",\"expression\":\"\\\"service_${builtins.uuid4}\\\"\",\"inherited\":true,\"name\":\"correlation_key\",\"scope\":\"process\"}}],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from service\",\"enabled\":true,\"expression\":\"(exec.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"execution_context_service\",\"updateDate\":1758821487211,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"nx5-ll1-x6m\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is masquerading as a kernel thread by using bracket notation in its name\",\"enabled\":true,\"expression\":\"(exec.comm in [r\\\"^\\\\[.*\\\\]$\\\"] || exec.argv0 in [r\\\"^\\\\[.*\\\\]$\\\"]) \\u0026\\u0026 (process.parent.ppid !=2 || process.args != \\\"\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_process_masquerade\",\"updateDate\":1758821487207,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"6lb-gwv-535\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new static pod manifest was created in the Kubernetes manifests directory\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/etc/kubernetes/manifests/*\\\"]\\n\\u0026\\u0026 open.file.extension in [\\\".yaml\\\", \\\".yml\\\"]\\n\\u0026\\u0026 process.file.path not in [\\\"/usr/bin/kubelet\\\", \\\"/usr/local/bin/kubelet\\\", \\\"/opt/bin/kubelet\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"static_pod_manifest_created\",\"updateDate\":1758821487200,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"mil-ofs-8td\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process removed itself from the filesystem\",\"enabled\":true,\"expression\":\"unlink.file.path == process.file.path\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"unlink_self\",\"updateDate\":1758821487200,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"cuo-g81-vwm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed in a Kubernetes user session\",\"enabled\":true,\"expression\":\"exec.user_session.k8s_username != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_user_session\",\"updateDate\":1758821487198,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"9rv-bls-azq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nohup was used to ignore process termination signals\",\"enabled\":true,\"expression\":\"exec.comm == \\\"nohup\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nohup_usage\",\"updateDate\":1758821487198,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"had-5ot-yh0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"append\":true,\"field\":\"process.file.name\",\"name\":\"imds_v1_usage_services\",\"ttl\":10000000000}}],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"updateDate\":1758821375076,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"mpb-1rj-dv6\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\", ~\\\"/usr/lib/modules-load.d/**\\\", ~\\\"/etc/modules-load.d/**\\\", ~\\\"/etc/modprobe.d/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1758821375033,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"lt7-ru0-jsw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a penetration testing domain\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [~\\\"*.interact.sh\\\", ~\\\"*.oast.pro\\\", ~\\\"*.oast.live\\\", ~\\\"*.oast.fun\\\", ~\\\"*.oast.me\\\", ~\\\"*.burpcollaborator.net\\\", ~\\\"*.oastify.com\\\", ~\\\"*canarytokens.com\\\", ~\\\"*.requestbin.net\\\", ~\\\"*.dnslog.cn\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pentest_domain\",\"updateDate\":1758821375016,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"esk-ygv-wg5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == ~\\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"devshm_execution\",\"updateDate\":1758821374996,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"m8i-uhr-aoq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1758821338819,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"eeb-m3q-buz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"field\":\"unlink.file.path\",\"name\":\"correlation_key_file_path\",\"scope\":\"cgroup\"}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file was deleted shortly after it was executed\",\"enabled\":true,\"expression\":\"unlink.file.path in ${cgroup.chain_exec_unlink}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_new_process\",\"updateDate\":1758821241938,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"2fy-aqt-8mz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1758821241590,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"ysz-c0t-vzy\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process checked the public IP address of the host\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port in [80, 443]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_lookup_domain\",\"updateDate\":1758821241561,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"fak-u9s-pac\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1758821241527,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"adl-qjr-lyg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1758821241329,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"ei7-n5e-rvv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1758821241325,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"kr2-ybp-wh8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{\"field\":\"process.file\"}}],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"(connect.addr.family == AF_INET || connect.addr.family == AF_INET6) \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"p2pinfect_connection\",\"updateDate\":1758821241285,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"12k-ui3-z4h\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1758821241268,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"wn9-9vf-8be\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"] \\u0026\\u0026 process.argv0 != \\\"runc\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1758821241260,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"avt-p2e-fyc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\", ~\\\"/usr/lib/modules-load.d/**\\\", ~\\\"/etc/modules-load.d/**\\\", ~\\\"/etc/modprobe.d/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1758821241158,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"ec9-vff-7ni\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\", ~\\\"/usr/lib/modules-load.d/**\\\", ~\\\"/etc/modules-load.d/**\\\", ~\\\"/etc/modprobe.d/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1758821241086,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"esw-jp7-chn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"file_sync_exfil\",\"updateDate\":1749232465958,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"a6b-xqu-n6r\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1749232465391,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"9mk-xxe-lpw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722068555,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\", \\\"ctr\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1749232439098,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"pwg-71z-aob\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.id != \\\"\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1749232438080,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"efc-svz-7hu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1749232437323,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"fjh-jmi-fbi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1749232436502,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ipa-v3l-kt6\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1749232436328,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"onm-dqu-jly\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1749232434913,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"7nq-ugi-gu1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1749232434911,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":9}},{\"id\":\"msb-ai6-ua5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1749232434907,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"7bv-uip-wxv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_security_essentials_executable_modified\",\"updateDate\":1749232411868,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"24x-t0s-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"find_credentials\",\"updateDate\":1749232411667,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"tfh-7pq-ne3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Perl executed with suspicious argument\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 (exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"perl_shell\",\"updateDate\":1749232409731,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"rek-wb4-s7y\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n ( rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || rename.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || rename.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1749232382129,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"qdc-oqx-zsx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1749232381893,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":9}},{\"id\":\"ich-3ke-cor\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"]\\n || link.file.destination.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1749232381667,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"nlp-lzc-rcf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || open.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1749232381238,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"ohp-ags-xpk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1749232380612,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"ybu-yya-acz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1749232340405,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"vky-y2i-mvh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1749232339592,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"6ef-efv-07c\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1749232337174,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"zuq-yfd-hun\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1749232336681,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ki2-nwj-sot\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1749232336676,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"div-3ym-esz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1749232336672,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"lxo-jgz-gtv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1749232336672,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"t8w-eul-chf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || utimes.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1749232290939,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"rws-z9b-qjv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 (open.file.name in [r\\\"(?i)(restore|recover|instruction|help|how_to|how\\\\ to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\\\"] || open.file.name in [r\\\"RECOVER.*\\\\.txt\\\"]) \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1749232290803,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"atu-tci-bjn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1749232289522,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"cyq-zts-9vf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1749232288712,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"d6x-aku-m2l\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"overwrite_entrypoint\",\"updateDate\":1749232287873,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"jjg-cwd-bi8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1749232277186,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"vei-wlu-ojy\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"known_dll_registry_key_modified\",\"updateDate\":1749232277181,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"yly-big-wfq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1749232277090,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":7}},{\"id\":\"nej-iw4-adk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1749232241422,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"hxb-abz-bnu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1749232240734,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"eoy-4fe-q7q\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1749232236504,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":12}},{\"id\":\"bgs-kbk-xkh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n ( link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"]\\n || link.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"] \\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || link.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1749232236046,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"ez9-ozl-3lz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1749232235795,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"pnv-bxc-sbp\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_windows_files_modified\",\"updateDate\":1749232205582,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"eay-ery-jdc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1749232205568,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"xhw-6bw-uk0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"updateDate\":1749232204661,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"cj8-z89-sqt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"winlogon_registry_key_modified\",\"updateDate\":1749232204661,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"fpw-paa-smb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1749232192112,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"vlh-msh-elx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1749232190855,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"kxs-kt6-5gt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || unlink.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1749232190582,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"84k-f4f-yx8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1749232190580,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"x3k-0en-bhm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1749232190516,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"psd-3el-h33\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1749232187098,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"dgj-0mh-asf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1749232187098,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"uuf-w3c-u9q\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1749232187097,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"47p-vyr-rfx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1749232184204,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"c4t-pxu-ixk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1749232167527,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"i0s-yb1-hnl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1749232167524,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"vu4-g2z-6yx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1749232147434,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"qzs-yvl-f4t\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1749232147409,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":9}},{\"id\":\"3tj-btx-kvo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722067648,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1749232147395,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"rm1-b8h-cec\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1749232147394,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"1vg-wvn-jeo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1749232103404,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"6t0-pxf-oag\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\", ~\\\"*dockershim.sock*\\\", ~\\\"*containerd.sock*\\\", ~\\\"*crio.sock*\\\", ~\\\"*frakti.sock*\\\", ~\\\"*rktlet.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_mgmt_socket\",\"updateDate\":1749232103400,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"0gu-pqy-o1a\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1749232103394,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"ac4-asc-qi4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1749232103392,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"9ih-87r-xrp\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1749232103386,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"kmx-s3s-htb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1749232103384,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"mhl-gkn-bun\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1749232103382,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":7}},{\"id\":\"tkp-w9m-vzp\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1749232103378,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"kek-yib-peb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1749232103375,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"0on-nzp-luo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1749232103374,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"kzh-5hn-edg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1749232103371,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":7}},{\"id\":\"2p0-3i2-b4y\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1749232035236,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"q7y-2ci-hkh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1749232034921,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"pti-xku-k7y\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1749231989700,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"wew-y1h-1um\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{}}],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1749231989698,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"smc-exb-ymp\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1749231989692,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"zk5-jeo-579\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1749231989692,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"ygi-ozn-m5d\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\" \\u0026\\u0026 process.parent.file.path not in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\" , \\\"/run/docker/runtime-runc/moby/*\\\", \\\"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\\\"] \\u0026\\u0026 !(process.comm == \\\"dd-ipc-helper\\\" \\u0026\\u0026 exec.file.name in [\\\"memfd:spawn_worker_trampoline (deleted)\\\", \\\"memfd:spawn_worker_trampoline\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1749231989691,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"aby-cmp-yrd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.argv0 not in [\\\"runc\\\", \\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1749231989670,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"r5z-tke-sjm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1749231989669,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"cd0-w8q-vl4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1749231989669,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":12}},{\"id\":\"f5y-pdn-pnj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1650293718458,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1749231989667,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"qng-psi-j15\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1627392837049,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1749231989583,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"bm8-j5w-xfv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1749231989566,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"h9w-1za-erv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1742473059337,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1742473059978,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":2}},{\"id\":\"khg-aab-9th\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1737245935950,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1737245936416,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":2}},{\"id\":\"ayg-ed4-gwq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1730871736407,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_KSDPb\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1730871736407,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"om5-n7z-ike\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1727845578846,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_qDgvU\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1727845578846,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"6ae-6oo-ebo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724855417119,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_DBtCK\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724855417119,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"z3p-vom-jnb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724373425669,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724373425669,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"aum-fmk-2zi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846828022,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_sUVnW\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846828022,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"8j1-gvj-zbg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846816336,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_ipyRF\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846816336,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mgj-zek-ajo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718401086044,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_AszwF\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718401086044,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"bf0-bng-csr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718400725834,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_bVlLJ\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718400725834,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"qni-ngf-dzd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716175452369,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_tSfwV\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716175452369,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"qio-d0k-d3j\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716162686297,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_mABue\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716162686297,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fbo-ian-ijl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713905359927,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_VfQSV\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713905359927,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"1o7-fwy-pet\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713903379681,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_JAnCe\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713903379681,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ug1-mbq-gkm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713902127183,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_KJInv\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713902127183,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"xvo-htm-wak\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713901759732,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_PkauG\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713901759732,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"zfc-g0g-a8x\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_LPRxi\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"pae-rpt-yni\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_CpDMZ\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"jwu-xbf-ic5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_HfYXr\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"uew-oxg-b86\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_Tjzvu\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"wyn-ib7-f7o\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_fWORB\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mwk-g74-lbd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_XcxFr\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rqa-io7-fwn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_bKkuv\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"n1x-qsa-p53\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1712079129574,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"pqp-0vs-cmu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1711644642969,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"8be-hej-nf2\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Processes were listed using the ps command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ps\\\" \\u0026\\u0026 exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] \\u0026\\u0026 process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] \\u0026\\u0026 process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ps_discovery\",\"updateDate\":1711644627589,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"upj-muh-hms\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1711644612626,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"gnz-81e-6lg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1711644602654,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"7da-gwx-c3l\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1711644592613,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"8jg-xym-vqz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1711644590883,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"30s-pi8-9b4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"a9q-iyx-gfu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"hlq-w7y-5tg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"lj4-ina-ue2\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"qlz-mcu-d2k\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"bmx-go6-0lz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"bk0-mpb-ii8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"0xw-wbm-pel\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"nvt-eoh-yiz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"dc5-hba-20b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"asb-kqf-vex\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"yzx-ia6-bdh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"3uo-x9p-tmb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"kan-5ki-wau\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"ggb-h3r-t7d\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"y4n-8gx-m3n\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"xsf-ugy-cfq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"btr-btz-zif\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"jnw-ija-az5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"6v0-shq-8gm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"yrv-svq-9nz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"9s9-wui-t8c\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"krm-ssv-tn5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"uiu-6vz-z2h\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"eej-oup-jwu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"ltv-fla-wb0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1704404490608,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"nyc-gfz-yr5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1704404477785,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"phy-tco-k7w\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722069155,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1704404453620,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"7x1-glr-ofl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1704404453617,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"rqb-wq9-xzq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_jcvqK\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"sqx-azd-ia2\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dummy_rule_ivMAv\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"83g-jde-hyc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"hyg-8q3-gme\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"bn3-we8-cxn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"goh-6ij-cpa\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"he7-cho-9th\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"pj5-9wo-0ny\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"dmd-ens-omw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"8ft-wcs-sok\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"onm-fm3-ilm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"cxv-wyz-udh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"7ro-vjj-hqg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"3uf-mai-edh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"e2t-sos-sgs\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"joz-phu-bj6\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"9gx-e5x-wxl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"cmg-7ok-iws\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"fc2-mmz-xme\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"cw4-gei-lqg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"djb-5it-syy\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"2be-cfa-xhr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"5dp-tcj-tbm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"a0m-zaf-0a8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"erx-pyz-xft\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"ydh-fsm-slz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"5pp-60h-keq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"xyn-fkc-osi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"llg-x6t-jjq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"q1s-ejx-xq3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"zw4-cad-dro\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"rik-8jl-7nr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"vih-vom-ryl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"j3f-cie-47b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718630,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1699614659145,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"my1-vln-8fq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1699614656177,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"us6-p6v-hbj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1699614655670,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ohe-vlf-t2h\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1699614645120,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":9}},{\"id\":\"abo-w0g-emz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"yyr-62t-pwg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"s87-olo-akk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"hqc-ilw-6pg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"5ik-iyy-ry4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"0mj-ptm-mcq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"awr-mtg-lce\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[],\"name\":\"offensive_k8s_tool\",\"updateDate\":1699605598275,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"ki7-koc-icf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836162,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1699605581360,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"je9-er4-njy\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1635332067172,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1699605560892,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"332-1wp-nhi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"pn7-9wx-enb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"zag-uxd-4rh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"gj1-f5n-atq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"xoa-393-gtb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"wib-odd-eos\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"zi0-hgn-9ec\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"oce-aqj-x6b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"cdt-p7e-q1b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"wgo-mps-djd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"odr-ipk-wvx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"nb1-dkb-bwz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"t2g-qma-f5b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"version\":1}},{\"id\":\"ayp-cd9-j3f\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[],\"name\":\"network_sniffing_tool\",\"updateDate\":1688748485348,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"fdh-b1k-i0e\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[],\"name\":\"suid_file_execution\",\"updateDate\":1688748479473,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"rqu-01q-fmr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] \\u0026\\u0026 container.created_at \\u003e 180s\",\"filters\":[],\"name\":\"net_util_in_container_v2\",\"updateDate\":1688748479210,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"igw-lex-dzw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[],\"name\":\"hidden_file_executed\",\"updateDate\":1688748474266,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"ixh-tff-n0g\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[],\"name\":\"shell_profile_modification\",\"updateDate\":1688748474208,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"llh-ylu-udm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tfj-qbi-njb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"otj-idk-ece\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"l88-cpw-jvx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"kcw-scc-5ve\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"lg7-iv9-wts\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1684185006444,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"07x-ilo-vbw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1684184995498,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"wxp-zv6-mdg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[],\"name\":\"kmod_list\",\"updateDate\":1684184992493,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"rsp-g6i-jdi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[],\"name\":\"service_stop\",\"updateDate\":1684184991238,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"d5p-vk6-w0f\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[],\"name\":\"exec_lsmod\",\"updateDate\":1684184990877,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"zdy-kcq-q0v\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[],\"name\":\"read_kubeconfig\",\"updateDate\":1684184984191,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"yij-lei-ykx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[],\"name\":\"exec_whoami\",\"updateDate\":1684184982050,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"swo-jyw-vtb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1681490453789,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"w07-amm-bxr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1681490443753,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"jin-icc-lpi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1681490440557,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":8}},{\"id\":\"9hn-ukg-ek1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ulc-8ym-1ch\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"zja-jqt-rpm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"2ov-h11-m4w\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"shb-0xv-eib\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"psp-nbn-dtg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mcq-6by-989\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tci-5f7-cis\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mey-lit-gzs\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"4ve-rws-nw0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"9aa-y0q-rrc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tvd-3p1-cai\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"asy-mod-zmt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836979,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[],\"name\":\"user_created_tty\",\"updateDate\":1677793421528,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"4fh-bb7-747\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[],\"name\":\"credential_modified_chmod\",\"updateDate\":1677793414173,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":11}},{\"id\":\"yiy-mba-pny\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722067554,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[],\"name\":\"common_net_intrusion_util\",\"updateDate\":1677793413474,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":5}},{\"id\":\"oio-i4o-xzw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[],\"name\":\"tty_shell_in_container\",\"updateDate\":1677793412844,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"pwh-omk-qrr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1652129906455,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1677793412378,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"tmh-now-e61\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1677793410974,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"ay7-jkz-rda\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[],\"name\":\"credential_modified_unlink\",\"updateDate\":1677793404797,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":10}},{\"id\":\"bw8-80r-qih\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_BAiZP\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"gtx-vpl-ror\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_lszUX\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"xye-pfo-y0r\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[],\"name\":\"kernel_module_open\",\"updateDate\":1674486423764,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":9}},{\"id\":\"cmu-g58-cau\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1674486423628,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"sna-hgh-vo4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"filters\":[],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1674486422738,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"tna-ty5-e7c\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[],\"name\":\"mount_host_fs\",\"updateDate\":1674486412444,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"3xl-qds-f0e\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1674486406776,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":7}},{\"id\":\"ygn-d8o-ncr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1674486406387,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":7}},{\"id\":\"kuu-k1s-gqz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[],\"name\":\"systemd_modification_chmod\",\"updateDate\":1674486404846,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"hnh-eio-mow\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718435,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[],\"name\":\"ptrace_antidebug\",\"updateDate\":1670604150759,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ddh-ld5-2rj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[],\"name\":\"aws_imds\",\"updateDate\":1670604150281,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"enj-kdc-1tt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[],\"name\":\"net_file_download\",\"updateDate\":1670604150067,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"ct9-og0-h7h\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[],\"name\":\"net_unusual_request\",\"updateDate\":1670604150059,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"9dx-svj-apj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[],\"name\":\"azure_imds\",\"updateDate\":1670604150058,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"sah-xju-jcq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[],\"name\":\"gcp_imds\",\"updateDate\":1670604150002,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"mmk-0g6-4qu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_VxNSK\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"uze-gr4-sfh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mgd-dmc-zta\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[],\"name\":\"interactive_shell_in_container\",\"updateDate\":1666888169595,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"3lt-gov-2yu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1642158534952,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[],\"name\":\"net_util\",\"updateDate\":1666888163498,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"jx4-pkv-247\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1648564123603,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1666888163347,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ifl-wfe-sch\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722068439,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[],\"name\":\"net_util_in_container\",\"updateDate\":1666888163319,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":6}},{\"id\":\"aux-r7v-odv\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1648564123563,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1666888163318,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"vri-cjo-ywh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1643639113864,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1666888163135,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"ejk-rbu-v9x\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1617722068383,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[],\"name\":\"passwd_execution\",\"updateDate\":1666888162106,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"llh-jd2-obf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_cdxqn\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"xae-nwo-v33\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_iNwDw\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rvp-ggu-cvk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":2}},{\"id\":\"vx9-lii-nnm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"xur-uya-vqn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"96x-aqb-3yh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_RMoJm\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ien-7aw-blw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1665475102281,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"vqc-lta-u8c\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1665475100348,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":4}},{\"id\":\"m1y-sk8-b4c\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule_xkrhu\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"19v-30b-0xf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"dummy_rule\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ehj-52q-wq0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[],\"name\":\"shell_history_symlink\",\"updateDate\":1661193980229,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"gp1-mai-dlc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"new_java_detect_sync_test_us1_prod\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ai3-b8g-lbc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"new_java_detect_sync_test_prod\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tmz-dqc-yml\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Execution of a java process\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"new_java_detect_sync_test\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tef-sab-thr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":2}},{\"id\":\"wup-o5b-tjo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"c3v-vla-rev\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"yel-nbl-2pj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"version\":1}},{\"id\":\"rp0-hmk-9c1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[],\"name\":\"ip_check_domain\",\"updateDate\":1654020337230,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"ntj-rfs-mw3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dyn-u7u-v86\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":2}},{\"id\":\"mlg-yxw-uig\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"lq3-t6t-xng\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"1hp-hpr-4ez\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mt3-pks-n5s\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"r4a-yvz-rj7\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"5k1-gwi-0aq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"lkj-jnq-r6s\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"mbc-iwk-zpb\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fzb-lli-m26\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ieg-lmk-cgo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718705,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[],\"name\":\"kernel_module_load_container\",\"updateDate\":1650371511241,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":2}},{\"id\":\"lzx-kkv-at3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718540,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[],\"name\":\"ptrace_injection\",\"updateDate\":1650293789265,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"foo-pve-qbq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718365,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1650293788418,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"irg-o45-pxz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"An example agent rule generated in terraform\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"example_agent_rule\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":3}},{\"id\":\"rsy-7jg-hqm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"m39-rre-anw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"4wd-unc-xof\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"jhk-qpj-jlt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ruf-aic-d4j\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"jtf-zrn-0ph\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ijz-1cz-bms\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"21m-gs8-p43\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"in7-ydq-pbw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"v8v-sem-rmg\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"kox-qtp-cbn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"thp-evn-3gr\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"hx6-v0z-9gk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"n8j-9n3-urm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tkl-mjf-is5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"up2-fhh-bc8\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"vdu-0rd-lnj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dfb-wz2-0ka\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"7vz-wdj-vwc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"qls-upn-1vc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rxo-lya-bqu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dm3-ip4-rza\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rzs-ccq-4qm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"wa9-zm8-8ds\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"alm-sgy-vz3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dls-vo9-rqx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fyz-u20-nvn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"nqv-0et-fcj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"u7v-36z-wue\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"y2z-ffa-zys\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"cym-1zi-nnd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ip9-wgt-q3k\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"t9d-zbo-2nw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"kaw-0h7-dji\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"m4i-otg-jnj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"heh-lnh-xwm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"cwa-5rh-qtd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"e5l-xtx-hmi\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ebx-lyj-r3a\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"xac-4if-49b\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dh6-bdu-8v0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"hkd-6dr-ify\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"bsx-fod-0xj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"8jt-x9p-yoy\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rhd-qao-dub\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"j0f-fhi-ab7\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rvn-u2c-xm4\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ldn-agb-3fl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"cyr-g7t-to0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"wnm-xkk-mat\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"moo-kuq-zbt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"wzs-moc-ji9\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"uw2-d3y-5h6\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fez-txs-qf9\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fga-mna-xej\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"iyn-7sl-swn\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"go\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"p3w-qyi-pbo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"yyt-sfa-fck\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"5z7-fqq-siu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ivz-amj-yl7\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"lyv-3xn-qch\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"fpt-c7o-ipx\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"tap-fek-5kw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"u7b-x0z-cbe\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"hhe-gcm-vjl\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"nt9-5fe-de1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"pj0-bcy-euh\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"rm5-px4-iua\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"cqz-7pc-ajz\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"hot-prj-df5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"q7n-lvv-4au\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"gly-5wu-uny\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"umz-fjl-7qq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"spq-5f8-isw\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"dul-hdz-xmo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"n94-q2a-co9\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"x1n-wra-hdt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"kgt-kcc-tnu\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"znp-dul-gcj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"an agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"java\\\"\",\"filters\":[],\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"version\":1}},{\"id\":\"ily-tsr-dtj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836759,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Compiler Executed in Container\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[],\"name\":\"compiler_in_container\",\"updateDate\":1636729662344,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"jl5-wjt-58e\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836096,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254*\\\"]\",\"filters\":[],\"name\":\"aws_metadata_service\",\"updateDate\":1629226276630,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":1}},{\"id\":\"8ol-dkr-aml\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Nsswitch Configuration Modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1628512222322,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"fdf-wvb-c3k\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Nsswitch Configuration Modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1628512222322,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"pkn-azw-qia\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Nsswitch Configuration Modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1628512222322,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"wpt-ba8-mpd\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Nsswitch Configuration Modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1628512222322,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"7ud-d2o-qgo\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Nsswitch Configuration Modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1628512222322,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"za8-uxc-jxk\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH Authorized Keys Modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" \\u0026\\u0026 (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"filters\":[],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1628512221784,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"tiz-yss-zhq\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH Authorized Keys Modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" \\u0026\\u0026 (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"filters\":[],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1628512221784,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"apr-zj4-ee1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH Authorized Keys Modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" \\u0026\\u0026 (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"filters\":[],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1628512221784,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}},{\"id\":\"yhq-etl-wr6\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[],\"agentConstraint\":\"\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH Authorized Keys Modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" \\u0026\\u0026 (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"filters\":[],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1628512221784,\"updater\":{\"name\":\"\",\"handle\":\"\"},\"version\":3}}]}" }, "cookies": [], "headers": [ { "name": "content-type", - "value": "application/json" + "value": "application/vnd.api+json" } ], - "headersSize": 688, + "headersSize": 669, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-04T08:45:43.055Z", - "time": 911 + "startedDateTime": "2025-10-02T12:40:48.218Z", + "time": 1069 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/frozen.json index 1912236738a6..3fce52f3dd17 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/frozen.json @@ -1 +1 @@ -"2025-06-04T08:45:53.095Z" +"2025-10-02T12:40:49.297Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/recording.har index 4a79afd0a772..72be7e6b821f 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-agent-rules-returns-OK-response_3926879732/recording.har @@ -28,11 +28,11 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 337295, + "bodySize": 365701, "content": { "mimeType": "application/json", - "size": 337295, - "text": "{\"data\":[{\"id\":\"aoo-snu-t5u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714423023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023\",\"updateDate\":1714423024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"release_agent_escape\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5zt-j5u-aqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715287024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715287024\",\"updateDate\":1715287024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ujx-skx-369\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744258690000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1744258690\",\"updateDate\":1744258690000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kmod_list\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"relay_attack_tool_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1555-credentials-from-password-stores\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wzz-ni8-56v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733963824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733963824\",\"updateDate\":1733963824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z2v-n54-g9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422\",\"updateDate\":1733661424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6at-weo-6ya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635720659,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746635720\",\"updateDate\":1746635720659,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"java_shell_execution_parent\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zf-mmz-56y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616270272,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746616270\",\"updateDate\":1746616270272,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"krx-co0-pz2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kfi-eog-4ml\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631376325,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746631375\",\"updateDate\":1746631376325,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"i0b-hk0-7h3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715560625000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715560625\",\"updateDate\":1715560625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p6o-t98-nm1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735691823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823\",\"updateDate\":1735691824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Perl executed with suspicious argument\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 (exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"perl_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m77-qgu-c48\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717677423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422\",\"updateDate\":1717677424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tiy-95c-mkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423\",\"updateDate\":1723797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_chmod\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"krq-ced-idm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702684947,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746702684\",\"updateDate\":1746702684947,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"i5i-xfz-wxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195393441,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746195393\",\"updateDate\":1746195393441,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hsg-toh-i57\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223\",\"updateDate\":1723610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybl-tp8-aab\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730263023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022\",\"updateDate\":1730263025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uor-lfz-jrm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097917859,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746097917\",\"updateDate\":1746097917859,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3gw-vkx-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728419826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1728419824\",\"updateDate\":1728419826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ou7-vxd-f9m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611594063,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746611593\",\"updateDate\":1746611594063,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ast-isd-tty\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715645381000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1715645381\",\"updateDate\":1715645381000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"es7-rhv-nra\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fmr-do0-8np\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748003540353,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"fcggsfqidc\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748003540353,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aw7-tup-sy0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628448155,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746628447\",\"updateDate\":1746628448155,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"imds_v1_usage_services\",\"field\":\"process.file.name\",\"append\":true,\"ttl\":10000000000},\"disabled\":false}],\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"disabled\":[\"CWS_DD\"],\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"minidump_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ip_check_domain\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1016-system-network-configuration-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hcr-3py-6it\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736807340000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340\",\"updateDate\":1736807342000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"igb-n2l-mh4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635706008,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746635705\",\"updateDate\":1746635706008,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kax-qcg-qu0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714581423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423\",\"updateDate\":1714581424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"y0s-toi-yyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097927076,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746097926\",\"updateDate\":1746097927076,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"gfp-rvz-fcq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633537526,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746633537\",\"updateDate\":1746633537526,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ld_preload_unusual_library_path\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fii-ysi-7bu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715618226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715618224\",\"updateDate\":1715618226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ceu-3h6-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740269813000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813\",\"updateDate\":1740269814000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"8rl-d3i-xyv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195378531,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746195378\",\"updateDate\":1746195378531,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"tty_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cryptominer_args\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3cv-rwp-2t7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724215024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724215024\",\"updateDate\":1724215024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"245-ynt-xcy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223\",\"updateDate\":1714610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9of-ebc-ypn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733143023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022\",\"updateDate\":1733143023000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"deploy_priv_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5b4-k0v-rzw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734424624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734424623\",\"updateDate\":1734424624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6w8-3xn-j4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736066223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222\",\"updateDate\":1736066224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"find_credentials\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hk2-qrd-3jt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714667824\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fog-8k1-fzi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733704624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733704624\",\"updateDate\":1733704624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vma-z5w-bi9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734179823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822\",\"updateDate\":1734179825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"exec_lsmod\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c79-8dg-klx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422\",\"updateDate\":1715445424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"egv-kvz-h9q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529942370,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746529942\",\"updateDate\":1746529942370,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"wmi_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1047-windows-management-instrumentation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"php_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ptrace_antidebug\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1622-debugger-evasion\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"nco-423-hiu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733531824\",\"updateDate\":1733531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4sz-cc7-ukd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733560627000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733560624\",\"updateDate\":1733560627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zjt-hio-sx0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748011784397,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"wgxsdtgtmx\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748011784397,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"18r-273-a6u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735547824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735547824\",\"updateDate\":1735547824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"webapp_imds_V1_request\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"p4n-ijm-zeu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714155721000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714155721\",\"updateDate\":1714155721000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uyv-a9k-8l7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734395826000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734395824\",\"updateDate\":1734395826000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mtg-s1f-xy5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ctc-pux-luh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737951387000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387\",\"updateDate\":1737951389000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_cryptominer_process\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"irc_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"eue-gqs-59v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715503024\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ocv-we5-g5y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422\",\"updateDate\":1715661423000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cups_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.argv0 not in [\\\"runc\\\", \\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"dynamic_linker_config_write\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hgr-nny-7zr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720471023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022\",\"updateDate\":1720471024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"processes_accessing\",\"field\":\"process.file.path\",\"append\":true,\"ttl\":60000000000},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"]\\n\\u0026\\u0026 open.file.name == \\\"token\\\"\\n\\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\\n\\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"]\\n\\u0026\\u0026 process.file.path not in ${processes_accessing}\\n\\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_link\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3hj-2t8-ydm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729787824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729787824\",\"updateDate\":1729787824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ro3-z56-52j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732221423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423\",\"updateDate\":1732221424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w3d-qp8-3yb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716309424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716309424\",\"updateDate\":1716309424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zdz-ued-luw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714797424\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nue-wxi-y3i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735720623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623\",\"updateDate\":1735720626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"netcat_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"bwn-zl7-d0k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097915502,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746097915\",\"updateDate\":1746097915502,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"eor-xnf-mac\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616279688,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746616279\",\"updateDate\":1746616279688,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"h4n-yuq-2mp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715632623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622\",\"updateDate\":1715632624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ylx-z1o-jjd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184343494,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746184343\",\"updateDate\":1746184343494,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ti4-rku-0ke\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789271799,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746789271\",\"updateDate\":1746789271799,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsenter_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ev9-rxn-om1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622\",\"updateDate\":1733272626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_msr_write\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"iptables_egress_allowed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ntds_in_commandline\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"syl-o29-0dq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714826223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223\",\"updateDate\":1714826223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6ak-6po-dd6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716640623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622\",\"updateDate\":1716640624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"executable_bit_added\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1222-file-and-directory-permissions-modification\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sharpup_tool_usage\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"k8w-brg-51l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715445424\",\"updateDate\":1715445426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dtv-dxk-3pn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616272397,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746616272\",\"updateDate\":1746616272397,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"qes-e3j-s1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443538639,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746443538\",\"updateDate\":1746443538639,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"gcp_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"delete_system_log\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"winlogon_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xg0-u09-xir\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733603824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733603824\",\"updateDate\":1733603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_utimes\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"shell_history_symlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"vsk-ewy-s83\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823\",\"updateDate\":1714451824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"certutil_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fry-rzn-glo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748012434322,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"obtppsoxzh\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748012434322,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"x2p-h4q-sxd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702682078,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746702682\",\"updateDate\":1746702682078,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"net_util_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0zl-ilo-guv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716050224\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"svl-2s4-jd4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730450224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730450223\",\"updateDate\":1730450224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nio-59w-ip8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714927026000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714927026\",\"updateDate\":1714927026000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qoe-y42-hqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716554224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716554224\",\"updateDate\":1716554224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ges-qo5-4p8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635709720,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746635709\",\"updateDate\":1746635709720,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"unshare_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_explorer_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"modified_file_requesting_imds_creds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"user_deleted_tty\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xxc-35o-apy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729427824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729427824\",\"updateDate\":1729427824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zkc-kqn-frn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616273510,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746616273\",\"updateDate\":1746616273510,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"hsx-x1l-3zb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097926103,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746097925\",\"updateDate\":1746097926103,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"44y-bei-bqj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633539277,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746633538\",\"updateDate\":1746633539277,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"overwrite_entrypoint\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"269-p6y-i3p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742473183000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1742473182\",\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mgl-xtg-ctl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715027823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822\",\"updateDate\":1715027824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xjd-huv-ice\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611612739,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746611612\",\"updateDate\":1746611612739,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"openssl_backdoor\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"uhw-kuq-ute\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721119025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721119024\",\"updateDate\":1721119025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"710-xzg-ays\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714480623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623\",\"updateDate\":1714480624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"434-kuh-g0w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184344309,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746184344\",\"updateDate\":1746184344309,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_load_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"1ej-lz6-3iy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735648624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735648624\",\"updateDate\":1735648624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tw0-y2e-9wf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738627773000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1738627773\",\"updateDate\":1738627773000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"qzk-a8h-ikx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195394785,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746195394\",\"updateDate\":1746195394785,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"shell_history_truncated\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_chown\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_link\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rc4-b53-3sj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715863024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715863024\",\"updateDate\":1715863024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bjk-8om-6ua\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184333160,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746184333\",\"updateDate\":1746184333160,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_nonstandard_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1021-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_open_v2\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"piq-bha-m6t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714279024\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fiw-wuv-ueg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734914224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734914224\",\"updateDate\":1734914224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tjr-ib4-gya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714509423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423\",\"updateDate\":1714509424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z0t-qdd-lkb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630384644,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746630384\",\"updateDate\":1746630384644,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_open\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yep-euy-ttp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714552623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623\",\"updateDate\":1714552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xf-404-qez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"php_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\" \\u0026\\u0026 process.parent.file.path not in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\" , \\\"/run/docker/runtime-runc/moby/*\\\", \\\"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\\\"] \\u0026\\u0026 !(process.comm == \\\"dd-ipc-helper\\\" \\u0026\\u0026 exec.file.name in [\\\"memfd:spawn_worker_trampoline (deleted)\\\", \\\"memfd:spawn_worker_trampoline\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"memfd_create\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1620-reflective-code-loading\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"database_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rjm-biu-bqq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622\",\"updateDate\":1715272624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qk2-gkn-517\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730162223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223\",\"updateDate\":1730162225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"szu-tkm-xvx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443529377,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746443529\",\"updateDate\":1746443529377,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"service_stop\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1489-service-stop\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"socat_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"read_kubeconfig\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"vyd-2vb-tnk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738469890000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1738469890\",\"updateDate\":1738469890000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"00d-kfn-fwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740025013000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013\",\"updateDate\":1740025019000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"912-lu2-2sg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1731203077000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077\",\"updateDate\":1731203077000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"qfa-phf-txa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529940327,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746529940\",\"updateDate\":1746529940327,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"user_created_tty\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1136-create-account\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ag7-847-gm6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529951029,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746529950\",\"updateDate\":1746529951029,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v64-qmf-tal\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740543488000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488\",\"updateDate\":1740543488000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"wt2-84b-uy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737433133000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1737433133\",\"updateDate\":1737433133000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kvo-o7f-pgu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789257870,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746789257\",\"updateDate\":1746789257870,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"curl_docker_socket\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ptrace_injection\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dou-40j-cpw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721378223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223\",\"updateDate\":1721378224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eqx-iiy-wru\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195384460,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746195384\",\"updateDate\":1746195384460,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pz7-rvb-ckm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734692969000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969\",\"updateDate\":1734692970000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"rsm-fam-pfp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714869424\",\"updateDate\":1714869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0t6-uce-ee0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734899824\",\"updateDate\":1734899824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"voe-mel-8yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611600937,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746611600\",\"updateDate\":1746611600937,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"shell_profile_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"safeboot_modification\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xh4-cv2-cfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719031023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022\",\"updateDate\":1719031024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fyp-i9k-cv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630386239,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746630385\",\"updateDate\":1746630386239,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"offensive_k8s_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"k95-kl4-jxt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623\",\"updateDate\":1714696627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5rb-4q9-p5g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716813423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422\",\"updateDate\":1716813424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b79-xcg-63p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719059824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719059824\",\"updateDate\":1719059824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k1r-tva-i6e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1727829423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422\",\"updateDate\":1727829425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cx8-x1r-vs8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630369591,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746630369\",\"updateDate\":1746630369591,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9l7-am7-hy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736986169000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1736986169\",\"updateDate\":1736986169000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"8tp-dmg-o8w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702691437,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746702691\",\"updateDate\":1746702691437,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"new_binary_execution_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sfj-gky-roy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732869424\",\"updateDate\":1732869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o9g-ptk-2zv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733575024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733575024\",\"updateDate\":1733575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"shf-bur-1id\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735288624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735288624\",\"updateDate\":1735288624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"isj-kzv-ebz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633518640,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746633518\",\"updateDate\":1746633518640,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"aws_cli_usage\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1651-cloud-administration-command\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"open_msr_writes\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"selinux_disable_enforcement\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ukn-yjf-h6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719981423\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f5p-men-xz3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735994224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735994224\",\"updateDate\":1735994224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_it_tool_config_write\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e6l-qo1-y2e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714682223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223\",\"updateDate\":1714682224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"auditd_config_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"omigod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1203-exploitation-for-client-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"redis_sandbox_escape\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"interactive_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qba-1qm-uj5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721075824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721075824\",\"updateDate\":1721075824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"mount_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suspicious_suid_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tr5-g9p-4jx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734799023000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023\",\"updateDate\":1734799025000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pix-a2q-opu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633525563,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746633525\",\"updateDate\":1746633525563,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5c8-aij-182\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720156180000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testrustgetacsmthreatsagentrulereturnsokresponse1720156180\",\"updateDate\":1720156180000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"net_unusual_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jf1-ep2-li7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1745209090000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1745209090\",\"updateDate\":1745209090000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9n1-l1g-u4k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721853424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721853423\",\"updateDate\":1721853424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1l2-7qh-mfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717432623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622\",\"updateDate\":1717432626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"webdriver_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"known_dll_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1574-hijack-execution-flow\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"bou-hvm-24h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715474223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222\",\"updateDate\":1715474224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_security_essentials_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"veg-qf4-lgr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719967025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719967024\",\"updateDate\":1719967025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1cw-vgz-eaz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628446463,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746628446\",\"updateDate\":1746628446463,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_outbound_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1563-remote-service-session-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"shell_net_connection\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\\\"] \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ransomware_note\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1490-inhibit-system-recovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"aij-phz-7iz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630373819,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746630373\",\"updateDate\":1746630373819,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_load_from_memory\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_update_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"aws_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mda-uab-xow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723178226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1723178224\",\"updateDate\":1723178226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b7w-xgg-ocq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717130223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222\",\"updateDate\":1717130226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fxe-inc-9zj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719938223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222\",\"updateDate\":1719938225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0rc-s4t-d0f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223\",\"updateDate\":1735562225000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ws-qol-qpn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529951975,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746529951\",\"updateDate\":1746529951975,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"xg2-lum-j2a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714783024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714783024\",\"updateDate\":1714783024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uqg-z0t-83n\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715575023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022\",\"updateDate\":1715575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"powershell_empire_uac_bypass\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"runc_leaky_fd\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"looney_tunables_exploit\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"dynamic_linker_config_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"1gj-w3o-5qw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1746013904000,\"creator\":{\"name\":\"Thibault Viennot\",\"handle\":\"thibault.viennot@datadoghq.com\"},\"defaultRule\":false,\"description\":\"im a rule\",\"disabled\":[\"CWS_CUSTOM-canary\"],\"enabled\":false,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssotlbqrax\",\"updateDate\":1746013904000,\"updater\":{\"name\":\"Thibault Viennot\",\"handle\":\"thibault.viennot@datadoghq.com\"}}},{\"id\":\"orc-g8c-fmh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097919884,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746097919\",\"updateDate\":1746097919884,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"python_cli_code\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"mount_host_fs\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"cvn-qsw-ibn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716410225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716410224\",\"updateDate\":1716410225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4qm-ikt-fpr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721954224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721954223\",\"updateDate\":1721954224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4bk-eaa-j5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728664623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622\",\"updateDate\":1728664623000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v8l-tbq-nkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611597548,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746611597\",\"updateDate\":1746611597548,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"dotnet_dump_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1005-data-from-local-system\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"base64_decode\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1140-deobfuscate-or-decode-files-or-information\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ps4-63s-bzc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714567023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023\",\"updateDate\":1714567024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"apparmor_modified_tty\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e7g-3t1-hpu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716352624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716352624\",\"updateDate\":1716352624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ftd-d3e-byt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721666224\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7s9-sfq-2km\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732552624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732552624\",\"updateDate\":1732552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rta-b8v-4uf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714322223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222\",\"updateDate\":1714322224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pwnkit_privilege_escalation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"li0-j5t-0hv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724848624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724848624\",\"updateDate\":1724848624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"package_management_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wvg-hbj-6o2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720600623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622\",\"updateDate\":1720600624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rec-v3q-e1c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734770223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223\",\"updateDate\":1734770227000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ekr-3xj-8yj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735619823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823\",\"updateDate\":1735619825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kas-gb6-imd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611611223,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746611610\",\"updateDate\":1746611611223,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rgf-wo7-4fj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715402226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715402224\",\"updateDate\":1715402226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d2g-d0v-w1l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732019824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732019824\",\"updateDate\":1732019824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1m6-dg0-lq9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714624623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623\",\"updateDate\":1714624624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7sd-d1r-ts5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714840623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622\",\"updateDate\":1714840624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"exec_wrmsr\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hhl-9nk-8ls\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715819826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715819824\",\"updateDate\":1715819826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ox-06e-x4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734093424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734093423\",\"updateDate\":1734093424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"hidden_file_executed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_chown\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qd9-39s-51s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ya9-48i-611\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734496623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623\",\"updateDate\":1734496625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cdy-cvp-oqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728617680000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679\",\"updateDate\":1728617680000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"crackmap_exec_executed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sliver_c2_implant_execution\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hlp-8dr-0i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725467825000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725467823\",\"updateDate\":1725467825000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a1s-8yo-pst\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630365537,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746630365\",\"updateDate\":1746630365537,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"73h-yo0-427\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725240870000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869\",\"updateDate\":1725240870000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"redis_save_module\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1129-shared-modules\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"n8l-rby-b42\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735072624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735072624\",\"updateDate\":1735072624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vca-vvl-m7a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631358513,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746631358\",\"updateDate\":1746631358513,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suid_file_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v14-hvg-0fd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735216626000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735216624\",\"updateDate\":1735216626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rwf-5af-jaw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733618223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222\",\"updateDate\":1733618223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gyo-ajy-16h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633521705,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746633521\",\"updateDate\":1746633521705,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suspicious_ntdsutil_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_chmod\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suspicious_dll_write\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_utimes\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ulx-voj-zk3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"07u-iqk-me5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631377837,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746631377\",\"updateDate\":1746631377837,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sen-ldk-nvs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635722158,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746635721\",\"updateDate\":1746635722158,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"2vn-l1s-b0y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733013424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733013424\",\"updateDate\":1733013424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"981-x7o-izo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735749424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735749424\",\"updateDate\":1735749424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"clk-fln-75d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443537713,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746443537\",\"updateDate\":1746443537713,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"klx-4zm-eg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184334893,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746184334\",\"updateDate\":1746184334893,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_hosts_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7rw-grx-l7u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726331823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822\",\"updateDate\":1726331823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3gy-keh-bpb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635700702,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746635700\",\"updateDate\":1746635700702,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"potential_web_shell_parent\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"inveigh_tool_usage\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1557-adversary-in-the-middle\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"shell_history_deleted\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"devshm_execution\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"mount_proc_hide\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sic-1px-69u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717418225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1717418224\",\"updateDate\":1717418225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f4p-2wj-hrf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715459823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822\",\"updateDate\":1715459824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"paste_site\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suspicious_bitsadmin_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pb3-26n-452\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l9m-5ce-g9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734525423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422\",\"updateDate\":1734525423000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"runc_modification\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"procdump_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.id != \\\"\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ycc-lv0-6oj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730939824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730939824\",\"updateDate\":1730939824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5jy-8qa-vwx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724216976000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976\",\"updateDate\":1724216976000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xw4-uw8-mmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725885424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725885424\",\"updateDate\":1725885424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wwv-c72-w2g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1745986689000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1745986689\",\"updateDate\":1745986689000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"rubeus_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1558-steal-or-forge-kerberos-tickets\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"net_util_exfiltration\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kubernetes_dns_enumeration\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l57-d8u-edg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733546224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733546224\",\"updateDate\":1733546224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"tunnel_traffic\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"registry_service_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"jupyter_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tf1-bgq-7bb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nor-y5a-3sn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422\",\"updateDate\":1715373424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mzh-gda-c24\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715762223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222\",\"updateDate\":1715762224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zvy-zhs-mba\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628436281,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746628435\",\"updateDate\":1746628436281,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"auditd_rule_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tb2-3ij-eep\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732667824\",\"updateDate\":1732667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vxv-90c-vm4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"43q-0jv-1zb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616279053,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746616279\",\"updateDate\":1746616279053,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"net_file_download\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"net_util\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_load\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yel-n8d-fhc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443527243,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746443527\",\"updateDate\":1746443527243,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"udev_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1546-event-triggered-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w60-a8d-qrd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734439024000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734439023\",\"updateDate\":1734439024000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a9f-o95-atg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kid-vkk-fj9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715603823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822\",\"updateDate\":1715603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ay-9ve-3i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822\",\"updateDate\":1732451823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v9x-9ib-tr7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737288363000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"im a rule\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"qljifimbbh\",\"updateDate\":1737288363000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"sim-wjp-rxz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748011504465,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"rawfdmzxlc\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748011504465,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rv8-utm-cs5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702690686,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746702690\",\"updateDate\":1746702690686,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"registry_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ulc-hn1-cz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725295024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023\",\"updateDate\":1725295024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"mining_pool_lookup\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"auditctl_usage\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sudoers_policy_modified_rename\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"passwd_execution\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"technique:T1098-account-manipulation\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"critical_windows_files_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zu3-7yi-3w0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714696624\",\"updateDate\":1714696626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f2b-qds-3f4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718815023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022\",\"updateDate\":1718815024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qsg-ezg-tyb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628429225,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746628428\",\"updateDate\":1746628429225,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yv4-twv-nsx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184336905,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746184336\",\"updateDate\":1746184336905,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"debugfs_in_container\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"aws_eks_service_account_token_accessed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gds-0mc-sle\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733330223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222\",\"updateDate\":1733330225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssh_authorized_keys_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"d7t-4i4-tex\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722659826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1722659824\",\"updateDate\":1722659826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sz5-kvy-3kd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732927024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732927024\",\"updateDate\":1732927024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"g9j-hhf-7at\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722703023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023\",\"updateDate\":1722703024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"ssl_certificate_tampering_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"bwj-n0m-ut5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714653425000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714653424\",\"updateDate\":1714653425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssm-zlm-vqh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720312626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1720312624\",\"updateDate\":1720312626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zsr-y94-6u2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734482226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734482224\",\"updateDate\":1734482226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o4r-6tp-yk0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714466223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223\",\"updateDate\":1714466224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"1ys-tf8-u32\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735562224\",\"updateDate\":1735562224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vax-ch9-i9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529944308,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746529944\",\"updateDate\":1746529944308,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_unlink\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"vvb-sfk-jn1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724647024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724647024\",\"updateDate\":1724647024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qo2-qin-6hg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714351023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022\",\"updateDate\":1714351024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ht-mqm-ybx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628432905,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746628432\",\"updateDate\":1746628432905,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jx5-yfk-osv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789254740,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746789254\",\"updateDate\":1746789254740,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"rc_scripts_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1037-boot-or-logon-initialization-scripts\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"suspicious_container_client\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"critical_registry_export\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"6bp-g7f-vgp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789261585,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746789261\",\"updateDate\":1746789261585,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (such as nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"common_net_intrusion_util\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"libpam_ebpf_hook\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1056-input-capture\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"compile_after_delivery\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"tactic:TA0004-privilege-escalation\",\"technique:T1027-obfuscated-files-or-information\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"azure_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ybg-c9d-29b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723034223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223\",\"updateDate\":1723034224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bec-cnc-wlz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631362067,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746631361\",\"updateDate\":1746631362067,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xx5-jk7-v7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631365451,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746631365\",\"updateDate\":1746631365451,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"credential_modified_rename\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"p2pinfect_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"kernel_module_load_from_memory_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4fo-giq-5f8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715416623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622\",\"updateDate\":1715416624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tps-9zv-vpp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823\",\"updateDate\":1734899825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"chatroom_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"iyj-haq-dvu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715373425\",\"updateDate\":1715373426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"file_sync_exfil\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"nsswitch_conf_mod_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ezw-7rm-wca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735634224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224\",\"updateDate\":1735634224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mdn-0hh-uw1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734050226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734050223\",\"updateDate\":1734050226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"897-56j-4uj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735907824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735907823\",\"updateDate\":1735907824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lf1-s8g-yf7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d5b-olo-ecr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789273109,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746789272\",\"updateDate\":1746789273109,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"35e-29w-qhu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715128624\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3kk-4rm-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718426224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1718426224\",\"updateDate\":1718426224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w95-d3h-c3r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735864623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622\",\"updateDate\":1735864625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ohq-oxe-jb4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726883002000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002\",\"updateDate\":1726883002000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"gyq-tpv-vvr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195381263,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746195381\",\"updateDate\":1746195381263,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"dirty_pipe_exploitation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"stq-uwx-efd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715531824\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ji-2p2-v00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721248623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623\",\"updateDate\":1721248625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"sensitive_tracing\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rno-53m-mf3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714538225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714538225\",\"updateDate\":1714538225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt8-od0-yxu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730205424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730205423\",\"updateDate\":1730205424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"97d-p9d-x1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714941423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422\",\"updateDate\":1714941424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5ok-zd7-gf9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748012897594,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"khuiwwlgzk\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748012897594,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tth-j42-vc4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732591470000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469\",\"updateDate\":1732591470000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"pam_modification_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jbe-827-tq7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732768624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624\",\"updateDate\":1732768624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xd-vam-hd2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730479023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022\",\"updateDate\":1730479024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"exec_whoami\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1033-system-owner-or-user-discovery\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"b68-yq9-x3q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733200623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622\",\"updateDate\":1733200625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bcc-gqn-ty6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443531257,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746443531\",\"updateDate\":1746443531257,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"dirty_pipe_attempt\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"network_sniffing_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1040-network-sniffing\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mc-0xr-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714264624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714264624\",\"updateDate\":1714264624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9wz-mgt-zkp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715546226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715546226\",\"updateDate\":1715546226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"j7w-ifp-raw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702683438,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746702683\",\"updateDate\":1746702683438,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cryptominer_envs\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"cron_at_job_creation_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"windows_boot_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"registry_hives_file_path_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"tar_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1560-archive-collected-data\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kbx-ylg-k86\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734597423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422\",\"updateDate\":1734597424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"scheduled_task_creation\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"compiler_in_container\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1027-obfuscated-files-or-information\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a66-2qy-xwe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622\",\"updateDate\":1733128625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1742407951000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_DD\"],\"name\":\"systemd_modification_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}" + "size": 365701, + "text": "{\"data\":[{\"id\":\"def-000-oag\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemd spawned shell\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.ancestors.file.path == \\\"/usr/lib/systemd/systemd-executor\\\" \\u0026\\u0026 process.parent.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"systemd_spawned_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tf1-bgq-7bb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fyp-i9k-cv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630386239,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746630385\",\"updateDate\":1746630386239,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"scheduled_task_creation\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0zl-ilo-guv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716050224\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg0-u09-xir\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733603824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733603824\",\"updateDate\":1733603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xjd-huv-ice\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611612739,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746611612\",\"updateDate\":1746611612739,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-cjm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"cgroup_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from cgroup write\",\"enabled\":true,\"expression\":\"cgroup_write.pid \\u003e 0 \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_cgroup_write\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qzk-a8h-ikx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195394785,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746195394\",\"updateDate\":1746195394785,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x9u\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"interactive_shell_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from interactive shell\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 (process.tty_name != \\\"\\\" || exec.args_flags in [\\\"i\\\"]) \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\", ~\\\"service_*\\\", ~\\\"service_new_cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_interactive_shell\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ohq-oxe-jb4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726883002000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002\",\"updateDate\":1726883002000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ld_preload_unusual_library_path\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"windows_update_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3kk-4rm-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718426224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1718426224\",\"updateDate\":1718426224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vxv-90c-vm4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yep-euy-ttp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714552623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623\",\"updateDate\":1714552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pix-a2q-opu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633525563,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746633525\",\"updateDate\":1746633525563,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kid-vkk-fj9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715603823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822\",\"updateDate\":1715603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yel-n8d-fhc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443527243,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746443527\",\"updateDate\":1746443527243,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"kvo-o7f-pgu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789257870,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746789257\",\"updateDate\":1746789257870,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"safeboot_modification\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"egv-kvz-h9q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529942370,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746529942\",\"updateDate\":1746529942370,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"net_file_download\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"net_util_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"new_binary_execution_in_container\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"(connect.addr.family == AF_INET || connect.addr.family == AF_INET6) \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"p2pinfect_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xg2-lum-j2a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714783024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714783024\",\"updateDate\":1714783024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"orc-g8c-fmh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097919884,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746097919\",\"updateDate\":1746097919884,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"wwv-c72-w2g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1745986689000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1745986689\",\"updateDate\":1745986689000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-5xt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detect attempts to trigger a coredump after modifying /proc/sys/kernel/core_pattern.\",\"enabled\":true,\"expression\":\"exit.cause == COREDUMPED \\u0026\\u0026 container.id == ${container.core_pattern_write_container_id}\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"coredump_triggered\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mpd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a cryptocurrency mining pool\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"mining_pool_domain\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"97d-p9d-x1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714941423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422\",\"updateDate\":1714941424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gfp-rvz-fcq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633537526,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746633537\",\"updateDate\":1746633537526,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\", ~\\\"*dockershim.sock*\\\", ~\\\"*containerd.sock*\\\", ~\\\"*crio.sock*\\\", ~\\\"*frakti.sock*\\\", ~\\\"*rktlet.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"curl_mgmt_socket\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"iptables_egress_allowed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2vn-l1s-b0y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733013424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733013424\",\"updateDate\":1733013424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l57-d8u-edg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733546224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733546224\",\"updateDate\":1733546224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mdn-0hh-uw1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734050226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734050223\",\"updateDate\":1734050226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ht-mqm-ybx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628432905,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746628432\",\"updateDate\":1746628432905,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"libpam_ebpf_hook\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1056-input-capture\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n ( link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"]\\n || link.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"] \\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || link.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_link\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"executable_bit_added\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1222-file-and-directory-permissions-modification\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0rc-s4t-d0f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223\",\"updateDate\":1735562225000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fry-rzn-glo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748012434322,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"obtppsoxzh\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748012434322,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"aws_cli_usage\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1651-cloud-administration-command\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_utimes\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"(connect.addr.family == AF_INET || connect.addr.family == AF_INET6) \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"shell_net_connection\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"user_deleted_tty\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rno-53m-mf3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714538225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714538225\",\"updateDate\":1714538225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pb3-26n-452\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6at-weo-6ya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635720659,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746635720\",\"updateDate\":1746635720659,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_open_v2\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"mount_host_fs\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"procdump_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"net_util\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"bwj-n0m-ut5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714653425000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714653424\",\"updateDate\":1714653425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"shell_profile_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hhl-9nk-8ls\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715819826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715819824\",\"updateDate\":1715819826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"8tp-dmg-o8w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702691437,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746702691\",\"updateDate\":1746702691437,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"kfi-eog-4ml\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631376325,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746631375\",\"updateDate\":1746631376325,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"delete_system_log\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w3d-qp8-3yb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716309424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716309424\",\"updateDate\":1716309424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uyv-a9k-8l7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734395826000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734395824\",\"updateDate\":1734395826000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fiw-wuv-ueg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734914224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734914224\",\"updateDate\":1734914224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a9f-o95-atg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cx8-x1r-vs8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630369591,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746630369\",\"updateDate\":1746630369591,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rv8-utm-cs5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702690686,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746702690\",\"updateDate\":1746702690686,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_hosts_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ssh_it_tool_config_write\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jf1-ep2-li7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1745209090000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1745209090\",\"updateDate\":1745209090000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"710-xzg-ays\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714480623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623\",\"updateDate\":1714480624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4bk-eaa-j5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728664623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622\",\"updateDate\":1728664623000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bjk-8om-6ua\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184333160,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746184333\",\"updateDate\":1746184333160,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || open.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"krx-co0-pz2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mtg-s1f-xy5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eqx-iiy-wru\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195384460,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746195384\",\"updateDate\":1746195384460,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"interactive_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"n8l-rby-b42\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735072624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735072624\",\"updateDate\":1735072624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vsk-ewy-s83\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823\",\"updateDate\":1714451824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_open\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"registry_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"i0b-hk0-7h3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715560625000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715560625\",\"updateDate\":1715560625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uhw-kuq-ute\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721119025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721119024\",\"updateDate\":1721119025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"net_util_exfiltration\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jbe-827-tq7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732768624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624\",\"updateDate\":1732768624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suspicious_ntdsutil_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qoe-y42-hqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716554224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716554224\",\"updateDate\":1716554224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sz5-kvy-3kd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732927024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732927024\",\"updateDate\":1732927024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"cups_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suid_file_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"cdy-cvp-oqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728617680000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679\",\"updateDate\":1728617680000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"d5b-olo-ecr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789273109,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746789272\",\"updateDate\":1746789273109,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7rw-grx-l7u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726331823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822\",\"updateDate\":1726331823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5jy-8qa-vwx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724216976000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976\",\"updateDate\":1724216976000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"compile_after_delivery\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"tactic:TA0004-privilege-escalation\",\"technique:T1027-obfuscated-files-or-information\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4sz-cc7-ukd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733560627000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733560624\",\"updateDate\":1733560627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v14-hvg-0fd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735216626000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735216624\",\"updateDate\":1735216626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-fdc\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"service_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from service\",\"enabled\":true,\"expression\":\"(exec.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_service\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5zt-j5u-aqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715287024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715287024\",\"updateDate\":1715287024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fii-ysi-7bu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715618226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715618224\",\"updateDate\":1715618226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"stq-uwx-efd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715531824\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k1r-tva-i6e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1727829423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422\",\"updateDate\":1727829425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"912-lu2-2sg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1731203077000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077\",\"updateDate\":1731203077000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"j7w-ifp-raw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702683438,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746702683\",\"updateDate\":1746702683438,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"read_kubeconfig\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9wz-mgt-zkp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715546226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715546226\",\"updateDate\":1715546226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6ak-6po-dd6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716640623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622\",\"updateDate\":1716640624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l9m-5ce-g9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734525423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422\",\"updateDate\":1734525423000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sim-wjp-rxz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748011504465,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"rawfdmzxlc\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748011504465,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tjr-ib4-gya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714509423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423\",\"updateDate\":1714509424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wvg-hbj-6o2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720600623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622\",\"updateDate\":1720600624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hsg-toh-i57\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223\",\"updateDate\":1723610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bec-cnc-wlz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631362067,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746631361\",\"updateDate\":1746631362067,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qfa-phf-txa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529940327,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746529940\",\"updateDate\":1746529940327,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_open\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7sd-d1r-ts5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714840623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622\",\"updateDate\":1714840624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uqg-z0t-83n\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715575023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022\",\"updateDate\":1715575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"hidden_file_executed\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"overwrite_entrypoint\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"windows_boot_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"crackmap_exec_executed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.argv0 not in [\\\"runc\\\", \\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"dynamic_linker_config_write\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"java_shell_execution_parent\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"mining_pool_lookup\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ps4-63s-bzc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714567023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023\",\"updateDate\":1714567024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nor-y5a-3sn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422\",\"updateDate\":1715373424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gds-0mc-sle\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733330223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222\",\"updateDate\":1733330225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"critical_registry_export\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"windows_cryptominer_process\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rsm-fam-pfp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714869424\",\"updateDate\":1714869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gyq-tpv-vvr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195381263,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746195381\",\"updateDate\":1746195381263,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jx5-yfk-osv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789254740,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746789254\",\"updateDate\":1746789254740,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"deploy_priv_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"registry_service_runkey_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"mount_proc_hide\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"user_created_tty\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1136-create-account\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e6l-qo1-y2e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714682223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223\",\"updateDate\":1714682224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bou-hvm-24h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715474223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222\",\"updateDate\":1715474224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ou7-vxd-f9m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611594063,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746611593\",\"updateDate\":1746611594063,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_chown\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xh4-cv2-cfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719031023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022\",\"updateDate\":1719031024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aij-phz-7iz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630373819,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746630373\",\"updateDate\":1746630373819,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 (open.file.name in [r\\\"(?i)(restore|recover|instruction|help|how_to|how\\\\ to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\\\"] || open.file.name in [r\\\"RECOVER.*\\\\.txt\\\"]) \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ransomware_note\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1490-inhibit-system-recovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"winlogon_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"piq-bha-m6t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714279024\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssm-zlm-vqh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720312626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1720312624\",\"updateDate\":1720312626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vvb-sfk-jn1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724647024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724647024\",\"updateDate\":1724647024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vax-ch9-i9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529944308,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746529944\",\"updateDate\":1746529944308,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ukn-yjf-h6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719981423\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hgr-nny-7zr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720471023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022\",\"updateDate\":1720471024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"clk-fln-75d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443537713,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746443537\",\"updateDate\":1746443537713,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"aws_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"1l2-7qh-mfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717432623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622\",\"updateDate\":1717432626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"imds_v1_usage_services\",\"field\":\"process.file.name\",\"append\":true,\"ttl\":10000000000,\"inherited\":false},\"disabled\":false}],\"category\":\"Network Activity\",\"creationDate\":1752506673000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"disabled\":[\"best-practice.policy\"],\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\"],\"updateDate\":1752506673000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"udev_modification\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1546-event-triggered-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"wmi_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1047-windows-management-instrumentation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"syl-o29-0dq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714826223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223\",\"updateDate\":1714826223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uor-lfz-jrm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097917859,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746097917\",\"updateDate\":1746097917859,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-kjt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"service_new_cgroup_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from new service cgroup write\",\"enabled\":true,\"expression\":\"cgroup_write.pid \\u003e 0 \\u0026\\u0026 (process.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [~\\\"service_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_service_new_cgroup_write\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rec-v3q-e1c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734770223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223\",\"updateDate\":1734770227000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ges-qo5-4p8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635709720,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746635709\",\"updateDate\":1746635709720,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"szu-tkm-xvx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443529377,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746443529\",\"updateDate\":1746443529377,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_link\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e7g-3t1-hpu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716352624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716352624\",\"updateDate\":1716352624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"li0-j5t-0hv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724848624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724848624\",\"updateDate\":1724848624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tth-j42-vc4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732591470000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469\",\"updateDate\":1732591470000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"x2p-h4q-sxd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702682078,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746702682\",\"updateDate\":1746702682078,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"modified_file_requesting_imds_creds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"omigod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1203-exploitation-for-client-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"tar_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1560-archive-collected-data\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9ji-2p2-v00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721248623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623\",\"updateDate\":1721248625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qk2-gkn-517\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730162223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223\",\"updateDate\":1730162225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9l7-am7-hy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736986169000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1736986169\",\"updateDate\":1736986169000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"zjt-hio-sx0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748011784397,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"wgxsdtgtmx\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748011784397,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"file_sync_exfil\",\"product_tags\":[\"tactic:TA0010-exfiltration\",\"technique:T1048-exfiltration-over-alternative-protocol\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"open_msr_writes\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"paste_site\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"netcat_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hsx-x1l-3zb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097926103,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746097925\",\"updateDate\":1746097926103,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"qo2-qin-6hg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714351023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022\",\"updateDate\":1714351024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ast-isd-tty\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715645381000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1715645381\",\"updateDate\":1715645381000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"aws_eks_service_account_token_accessed\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"exec_wrmsr\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_msr_write\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kmod_list\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"release_agent_escape\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"webdriver_spawned_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ulx-voj-zk3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sfj-gky-roy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732869424\",\"updateDate\":1732869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_module_load_from_memory_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"socat_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dou-40j-cpw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721378223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223\",\"updateDate\":1721378224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ycc-lv0-6oj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730939824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730939824\",\"updateDate\":1730939824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p6o-t98-nm1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735691823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823\",\"updateDate\":1735691824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"isj-kzv-ebz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633518640,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746633518\",\"updateDate\":1746633518640,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || unlink.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hc1\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"auid_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from auid\",\"enabled\":true,\"expression\":\"exec.auid \\u003e= 0 \\u0026\\u0026 exec.auid != AUDIT_AUID_UNSET \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_auid\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bnt\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"cgroup_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from cgroup\",\"enabled\":true,\"expression\":\"exec.cgroup.id != process.parent.cgroup.id \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_cgroup\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sic-1px-69u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717418225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1717418224\",\"updateDate\":1717418225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fmr-do0-8np\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748003540353,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"fcggsfqidc\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748003540353,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7zf-mmz-56y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616270272,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746616270\",\"updateDate\":1746616270272,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"svl-2s4-jd4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730450224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730450223\",\"updateDate\":1730450224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"relay_attack_tool_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1555-credentials-from-password-stores\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zu3-7yi-3w0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714696624\",\"updateDate\":1714696626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"klx-4zm-eg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184334893,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746184334\",\"updateDate\":1746184334893,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_chmod\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"p4n-ijm-zeu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714155721000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714155721\",\"updateDate\":1714155721000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rta-b8v-4uf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714322223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222\",\"updateDate\":1714322224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b7w-xgg-ocq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717130223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222\",\"updateDate\":1717130226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fxe-inc-9zj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719938223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222\",\"updateDate\":1719938225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_chmod\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"database_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"exec_whoami\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1033-system-owner-or-user-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"k8w-brg-51l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715445424\",\"updateDate\":1715445426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kbx-ylg-k86\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734597423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422\",\"updateDate\":1734597424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a1s-8yo-pst\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630365537,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746630365\",\"updateDate\":1746630365537,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"nsenter_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xw4-uw8-mmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725885424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725885424\",\"updateDate\":1725885424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"gyo-ajy-16h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633521705,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746633521\",\"updateDate\":1746633521705,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"sharpup_tool_usage\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"981-x7o-izo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735749424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735749424\",\"updateDate\":1735749424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3gy-keh-bpb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635700702,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746635700\",\"updateDate\":1746635700702,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"43q-0jv-1zb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616279053,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746616279\",\"updateDate\":1746616279053,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tps-9zv-vpp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823\",\"updateDate\":1734899825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"44y-bei-bqj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746633539277,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746633538\",\"updateDate\":1746633539277,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n ( rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || rename.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] \\n || rename.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lc2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Remote access was created using a terminal-sharing service\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [\\\"ssh.tmate.io\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"tmate_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1219-remote-access-tools\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"d2g-d0v-w1l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732019824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732019824\",\"updateDate\":1732019824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"voe-mel-8yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611600937,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746611600\",\"updateDate\":1746611600937,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nue-wxi-y3i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735720623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623\",\"updateDate\":1735720626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v64-qmf-tal\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740543488000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488\",\"updateDate\":1740543488000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9n1-l1g-u4k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721853424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721853423\",\"updateDate\":1721853424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6w8-3xn-j4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736066223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222\",\"updateDate\":1736066224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"krq-ced-idm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746702684947,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746702684\",\"updateDate\":1746702684947,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 (connect.addr.family == AF_INET || connect.addr.family == AF_INET6) \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ssh_outbound_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1563-remote-service-session-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"webapp_imds_V1_request\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"dynamic_linker_config_unlink\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3gw-vkx-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728419826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1728419824\",\"updateDate\":1728419826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aoo-snu-t5u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714423023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023\",\"updateDate\":1714423024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ev9-rxn-om1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622\",\"updateDate\":1733272626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_rename\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"net_unusual_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-krr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process removed itself from the filesystem\",\"enabled\":true,\"expression\":\"unlink.file.path == process.file.path\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"unlink_self\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"1ej-lz6-3iy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735648624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735648624\",\"updateDate\":1735648624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ceu-3h6-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740269813000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813\",\"updateDate\":1740269814000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ti4-rku-0ke\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789271799,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746789271\",\"updateDate\":1746789271799,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"base64_decode\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1140-deobfuscate-or-decode-files-or-information\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-pnt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a penetration testing domain\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [~\\\"*.interact.sh\\\", ~\\\"*.oast.pro\\\", ~\\\"*.oast.live\\\", ~\\\"*.oast.fun\\\", ~\\\"*.oast.me\\\", ~\\\"*.burpcollaborator.net\\\", ~\\\"*.oastify.com\\\", ~\\\"*canarytokens.com\\\", ~\\\"*.requestbin.net\\\", ~\\\"*.dnslog.cn\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"pentest_domain\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"python_cli_code\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"bcc-gqn-ty6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443531257,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746443531\",\"updateDate\":1746443531257,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"xxc-35o-apy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729427824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729427824\",\"updateDate\":1729427824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ntds_in_commandline\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"redis_sandbox_escape\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"php_spawning_shell\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"d7t-4i4-tex\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722659826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1722659824\",\"updateDate\":1722659826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mzh-gda-c24\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715762223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222\",\"updateDate\":1715762224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ag7-847-gm6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529951029,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746529950\",\"updateDate\":1746529951029,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"shell_history_truncated\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_open\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"cryptominer_envs\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"openssl_backdoor\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suspicious_suid_execution\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hk2-qrd-3jt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714667824\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"]\\n || link.file.destination.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_link\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5ok-zd7-gf9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1748012897594,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"initial description\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"khuiwwlgzk\",\"product_tags\":[\"compliance_framework:HIPAA\"],\"updateDate\":1748012897594,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"y0s-toi-yyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097927076,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746097926\",\"updateDate\":1746097927076,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"07u-iqk-me5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631377837,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746631377\",\"updateDate\":1746631377837,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_open\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (such as nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zmap\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"common_net_intrusion_util\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"vyd-2vb-tnk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738469890000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1738469890\",\"updateDate\":1738469890000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0t6-uce-ee0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734899824\",\"updateDate\":1734899824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kas-gb6-imd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611611223,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746611610\",\"updateDate\":1746611611223,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"azure_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"dotnet_dump_execution\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1005-data-from-local-system\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"iyj-haq-dvu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715373425\",\"updateDate\":1715373426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"exec_lsmod\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1082-system-information-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"unshare_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o4r-6tp-yk0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714466223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223\",\"updateDate\":1714466224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aw7-tup-sy0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628448155,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746628447\",\"updateDate\":1746628448155,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tb2-3ij-eep\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732667824\",\"updateDate\":1732667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tr5-g9p-4jx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734799023000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023\",\"updateDate\":1734799025000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ylx-z1o-jjd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184343494,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746184343\",\"updateDate\":1746184343494,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-lt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed in a Kubernetes user session\",\"enabled\":true,\"expression\":\"exec.user_session.k8s_username != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"k8s_user_session\",\"product_tags\":[\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"find_credentials\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3ox-06e-x4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734093424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734093423\",\"updateDate\":1734093424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\", \\\"ctr\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suspicious_container_client\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"minidump_usage\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3cv-rwp-2t7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724215024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724215024\",\"updateDate\":1724215024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w60-a8d-qrd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734439024000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734439023\",\"updateDate\":1734439024000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"00d-kfn-fwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740025013000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013\",\"updateDate\":1740025019000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v9x-9ib-tr7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737288363000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"im a rule\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"qljifimbbh\",\"updateDate\":1737288363000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"igb-n2l-mh4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635706008,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746635705\",\"updateDate\":1746635706008,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qes-e3j-s1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746443538639,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746443538\",\"updateDate\":1746443538639,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hlp-8dr-0i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725467825000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725467823\",\"updateDate\":1725467825000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"245-ynt-xcy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223\",\"updateDate\":1714610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"es7-rhv-nra\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"h4n-yuq-2mp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715632623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622\",\"updateDate\":1715632624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vma-z5w-bi9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734179823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822\",\"updateDate\":1734179825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ws-qol-qpn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746529951975,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746529951\",\"updateDate\":1746529951975,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_chown\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_unlink\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rc4-b53-3sj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715863024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715863024\",\"updateDate\":1715863024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"c79-8dg-klx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422\",\"updateDate\":1715445424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lf1-s8g-yf7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rwf-5af-jaw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733618223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222\",\"updateDate\":1733618223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dtv-dxk-3pn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616272397,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746616272\",\"updateDate\":1746616272397,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"irc_connection\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"passwd_execution\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"technique:T1098-account-manipulation\",\"technique:T1531-account-access-removal\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"rc_scripts_modified\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1037-boot-or-logon-initialization-scripts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"cvn-qsw-ibn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716410225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716410224\",\"updateDate\":1716410225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"looney_tunables_exploit\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Perl executed with suspicious argument\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 (exec.args in [~\\\"*SOCK_STREAM*\\\", ~\\\"*sockaddr_in*\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"perl_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ezw-7rm-wca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735634224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224\",\"updateDate\":1735634224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_rename\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"powershell_empire_uac_bypass\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"35e-29w-qhu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715128624\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xf-404-qez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a66-2qy-xwe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622\",\"updateDate\":1733128625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.id != \\\"\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mgl-xtg-ctl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715027823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822\",\"updateDate\":1715027824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sen-ldk-nvs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746635722158,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1746635721\",\"updateDate\":1746635722158,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m7t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_AUDIT variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"process.envs in [\\\"LD_AUDIT\\\"] \\u0026\\u0026 \\n(\\n mmap.file.path in [~\\\"/home/*\\\", ~\\\"/tmp/*\\\", ~\\\"/dev/shm/*\\\"] || \\n mmap.file.in_upper_layer == true\\n) \\u0026\\u0026\\nmmap.protection \\u0026 (PROT_EXEC) \\u003e 0 \",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ld_audit_unusual_library_path\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1574-hijack-execution-flow\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\" \\u0026\\u0026 process.parent.file.path not in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\" , \\\"/run/docker/runtime-runc/moby/*\\\", \\\"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\\\"] \\u0026\\u0026 !(process.comm == \\\"dd-ipc-helper\\\" \\u0026\\u0026 exec.file.name in [\\\"memfd:spawn_worker_trampoline (deleted)\\\", \\\"memfd:spawn_worker_trampoline\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"memfd_create\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1620-reflective-code-loading\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"selinux_disable_enforcement\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ujx-skx-369\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744258690000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1744258690\",\"updateDate\":1744258690000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rgf-wo7-4fj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715402226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715402224\",\"updateDate\":1715402226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5rb-4q9-p5g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716813423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422\",\"updateDate\":1716813424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tiy-95c-mkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423\",\"updateDate\":1723797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6bp-g7f-vgp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746789261585,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746789261\",\"updateDate\":1746789261585,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"434-kuh-g0w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184344309,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746184344\",\"updateDate\":1746184344309,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_module_load_container\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"redis_save_module\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1129-shared-modules\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qba-1qm-uj5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721075824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721075824\",\"updateDate\":1721075824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ay-9ve-3i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822\",\"updateDate\":1732451823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_security_essentials_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ip_check_domain\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1016-system-network-configuration-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ssh_nonstandard_connection\",\"product_tags\":[\"tactic:TA0008-lateral-movement\",\"technique:T1021-remote-services\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"b79-xcg-63p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719059824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719059824\",\"updateDate\":1719059824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"shell_history_deleted\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-2wg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for container management socket\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*.sock*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"find_mgmt_socket\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zdz-ued-luw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714797424\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ys-tf8-u32\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735562224\",\"updateDate\":1735562224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_unlink\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"apparmor_modified_tty\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7s9-sfq-2km\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732552624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732552624\",\"updateDate\":1732552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"g9j-hhf-7at\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722703023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023\",\"updateDate\":1722703024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zkc-kqn-frn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616273510,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746616273\",\"updateDate\":1746616273510,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"dirty_pipe_attempt\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"network_sniffing_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1040-network-sniffing\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"php_shell\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"tty_shell_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"nco-423-hiu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733531824\",\"updateDate\":1733531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k95-kl4-jxt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623\",\"updateDate\":1714696627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"8rl-d3i-xyv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195378531,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746195378\",\"updateDate\":1746195378531,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"auditd_config_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suspicious_dll_write\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1609-container-administration-command\",\"technique:T1610-deploy-container\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\", ~\\\"wallet-address*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"cryptominer_args\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"runc_leaky_fd\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"897-56j-4uj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735907824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735907823\",\"updateDate\":1735907824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt8-od0-yxu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730205424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730205423\",\"updateDate\":1730205424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"18r-273-a6u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735547824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735547824\",\"updateDate\":1735547824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b68-yq9-x3q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733200623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622\",\"updateDate\":1733200625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bwn-zl7-d0k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746097915502,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746097915\",\"updateDate\":1746097915502,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_utimes\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"debugfs_in_container\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"mount_in_container\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ngk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process established a connection to ngrok\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [~\\\"*.tunnel*.ngrok.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ngrok_domain\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1102-web-service\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"auditd_rule_file_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ptrace_antidebug\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1622-debugger-evasion\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pz7-rvb-ckm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734692969000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969\",\"updateDate\":1734692970000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_chown\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5ew\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility listed images\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\", \\\"ctr\\\"] \\u0026\\u0026 exec.args in [\\\"image list\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"enum_images\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kubernetes_dns_enumeration\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1046-network-service-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kax-qcg-qu0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714581423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423\",\"updateDate\":1714581424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ro3-z56-52j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732221423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423\",\"updateDate\":1732221424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z2v-n54-g9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422\",\"updateDate\":1733661424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_link\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"potential_web_shell_parent\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1210-exploitation-of-remote-services\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"suspicious_bitsadmin_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"eue-gqs-59v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715503024\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qsg-ezg-tyb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628429225,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746628428\",\"updateDate\":1746628429225,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xx5-jk7-v7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631365451,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746631365\",\"updateDate\":1746631365451,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_chmod\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"runc_modification\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"credential_modified_link\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1003-os-credential-dumping\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"f2b-qds-3f4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718815023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022\",\"updateDate\":1718815024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zvy-zhs-mba\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628436281,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1746628435\",\"updateDate\":1746628436281,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4fo-giq-5f8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715416623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622\",\"updateDate\":1715416624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"f5p-men-xz3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735994224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735994224\",\"updateDate\":1735994224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.id != \\\"\\\" \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_open_v2\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-cyz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell spawned from a git clone which could be exploitation of CVE-2025-48384\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 process.ancestors[A].comm == \\\"git\\\" \\u0026\\u0026 process.ancestors[A].argv in [\\\"clone\\\"] \\u0026\\u0026 process.ancestors[A].args_flags in [\\\"recursive\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"git_cve_2025_48384\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1203-exploitation-for-client-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is masquerading as a kernel thread by using bracket notation in its name\",\"enabled\":true,\"expression\":\"(exec.comm in [r\\\"^\\\\[.*\\\\]$\\\"] || exec.argv0 in [r\\\"^\\\\[.*\\\\]$\\\"]) \\u0026\\u0026 (process.parent.ppid !=2 || process.args != \\\"\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_process_masquerade\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"jupyter_shell_execution\",\"product_tags\":[\"tactic:TA0001-initial-access\",\"technique:T1190-exploit-public-facing-application\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3hj-2t8-ydm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729787824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729787824\",\"updateDate\":1729787824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zsr-y94-6u2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734482226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734482224\",\"updateDate\":1734482226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"shf-bur-1id\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735288624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735288624\",\"updateDate\":1735288624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-6ku\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"service_new_cgroup_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from new service cgroup\",\"enabled\":true,\"expression\":\"(exec.envs in [\\\"DD_SERVICE\\\", \\\"OTEL_SERVICE_NAME\\\"] || \\\"tags.datadoghq.com/service\\\" in container.tags) \\u0026\\u0026 ${process.correlation_key} in [~\\\"service_*\\\"] \\u0026\\u0026 process.cgroup.id != process.parent.cgroup.id\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_service_new_cgroup\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"pwnkit_privilege_escalation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"sliver_c2_implant_execution\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1071-application-layer-protocol\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mda-uab-xow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723178226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1723178224\",\"updateDate\":1723178226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1gj-w3o-5qw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1746013904000,\"creator\":{\"name\":\"Thibault Viennot\",\"handle\":\"thibault.viennot@datadoghq.com\"},\"defaultRule\":false,\"description\":\"im a rule\",\"disabled\":[\"CWS_CUSTOM-canary\"],\"enabled\":false,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssotlbqrax\",\"updateDate\":1746013904000,\"updater\":{\"name\":\"Thibault Viennot\",\"handle\":\"thibault.viennot@datadoghq.com\"}}},{\"id\":\"wzz-ni8-56v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733963824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733963824\",\"updateDate\":1733963824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w95-d3h-c3r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735864623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622\",\"updateDate\":1735864625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hcr-3py-6it\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736807340000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340\",\"updateDate\":1736807342000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fog-8k1-fzi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733704624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733704624\",\"updateDate\":1733704624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5b4-k0v-rzw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734424624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734424623\",\"updateDate\":1734424624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"auditctl_usage\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1562-impair-defenses\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ybl-tp8-aab\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730263023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022\",\"updateDate\":1730263025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"cron_at_job_creation_unlink\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1053-scheduled-task-or-job\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ptrace_injection\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ya9-48i-611\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734496623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623\",\"updateDate\":1734496625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"compiler_in_container\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1027-obfuscated-files-or-information\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"inveigh_tool_usage\",\"product_tags\":[\"tactic:TA0009-collection\",\"technique:T1557-adversary-in-the-middle\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"service_stop\",\"product_tags\":[\"tactic:TA0040-impact\",\"technique:T1489-service-stop\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"nio-59w-ip8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714927026000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714927026\",\"updateDate\":1714927026000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1cw-vgz-eaz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746628446463,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746628446\",\"updateDate\":1746628446463,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"shell_history_symlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1070-indicator-removal\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [\\\"/etc/sudoers\\\", ~\\\"/etc/sudoers.d/*\\\"]\\n || rename.file.destination.path in [\\\"/etc/sudoers\\\",~\\\"/etc/sudoers.d/*\\\"])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"sudoers_policy_modified_rename\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1548-abuse-elevation-control-mechanism\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ftd-d3e-byt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721666224\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"269-p6y-i3p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742473183000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1742473182\",\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1m6-dg0-lq9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714624623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623\",\"updateDate\":1714624624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f4p-2wj-hrf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715459823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822\",\"updateDate\":1715459824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tw0-y2e-9wf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738627773000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1738627773\",\"updateDate\":1738627773000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"gcp_imds\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1552-unsecured-credentials\",\"policy:best-practice\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ekr-3xj-8yj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735619823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823\",\"updateDate\":1735619825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ctc-pux-luh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737951387000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387\",\"updateDate\":1737951389000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"def-000-jm5\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"core_pattern_write_container_id\",\"field\":\"container.id\",\"scope\":\"container\",\"ttl\":1800000000000,\"inherited\":false},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detect any attempt to modify /proc/sys/kernel/core_pattern from a container, which might result to escape to host when a core dump is triggered.\",\"enabled\":true,\"expression\":\"open.file.name == \\\"core_pattern\\\" \\u0026\\u0026\\nopen.file.filesystem == \\\"proc\\\" \\u0026\\u0026\\nopen.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 \\ncontainer.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"core_pattern_write\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1611-escape-to-host\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_module_load_from_memory\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"veg-qf4-lgr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719967025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719967024\",\"updateDate\":1719967025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yv4-twv-nsx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746184336905,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746184336\",\"updateDate\":1746184336905,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"i5i-xfz-wxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746195393441,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746195393\",\"updateDate\":1746195393441,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"critical_windows_files_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_chmod\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-r6p\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"correlation_key_file_path\",\"field\":\"unlink.file.path\",\"scope\":\"cgroup\",\"inherited\":false},\"disabled\":false}],\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file was deleted shortly after it was executed\",\"enabled\":true,\"expression\":\"unlink.file.path in ${cgroup.chain_exec_unlink}\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"delete_new_process\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3xd-vam-hd2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730479023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022\",\"updateDate\":1730479024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"kernel_module_load\",\"product_tags\":[\"tactic:TA0003-persistence\",\"tactic:TA0040-impact\",\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"technique:T1496-resource-hijacking\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"tunnel_traffic\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ybg-c9d-29b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723034223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223\",\"updateDate\":1723034224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v8l-tbq-nkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746611597548,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1746611597\",\"updateDate\":1746611597548,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5c8-aij-182\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720156180000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testrustgetacsmthreatsagentrulereturnsokresponse1720156180\",\"updateDate\":1720156180000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-a0x\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"filter\":\"${process.correlation_key} != \\\"\\\"\",\"set\":{\"name\":\"parent_correlation_keys\",\"default_value\":\"\",\"append\":true,\"scope\":\"process\",\"expression\":\"${process.correlation_key}\",\"inherited\":true},\"disabled\":false},{\"set\":{\"name\":\"correlation_key\",\"default_value\":\"\",\"scope\":\"process\",\"expression\":\"\\\"k8s_session_${builtins.uuid4}\\\"\",\"inherited\":true},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Track execution context from k8s user session\",\"enabled\":true,\"expression\":\"exec.user_session.k8s_username != \\\"\\\" \\u0026\\u0026 ${process.correlation_key} in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\", ~\\\"service_*\\\", ~\\\"service_new_cgroup_*\\\", ~\\\"interactive_shell_*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"execution_context_k8s_usersession_entrypoint\",\"product_tags\":[\"policy:threat-detection\"],\"silent\":true,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9of-ebc-ypn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733143023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022\",\"updateDate\":1733143023000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eor-xnf-mac\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746616279688,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746616279\",\"updateDate\":1746616279688,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_unlink\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3v0\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"chain_exec_unlink\",\"field\":\"exec.file.path\",\"append\":true,\"scope\":\"cgroup\",\"ttl\":30000000000,\"inherited\":false},\"disabled\":false},{\"set\":{\"name\":\"exec_new_file_in_cgroup\",\"field\":\"exec.file.path\",\"append\":true,\"scope\":\"cgroup\",\"size\":10000,\"ttl\":1800000000000,\"inherited\":false},\"disabled\":false},{\"set\":{\"name\":\"correlation_key_file_path\",\"field\":\"exec.file.path\",\"scope\":\"cgroup\",\"inherited\":false},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A recently modified file was executed\",\"enabled\":true,\"expression\":\"exec.file.change_time \\u003c 30s \\u0026\\u0026 cgroup.file.inode != 0 \\u0026\\u0026 exec.file.path not in ${cgroup.exec_new_file_in_cgroup}\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"exec_new_file\",\"product_tags\":[\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"sensitive_tracing\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1055-process-injection\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"kernel_module_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1547-boot-or-logon-autostart-execution\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"registry_hives_file_path_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1112-modify-registry\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"windows_explorer_executable_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1036-masquerading\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qd9-39s-51s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_rename\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"ssh_authorized_keys_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"offensive_k8s_tool\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1613-container-and-resource-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"rubeus_execution\",\"product_tags\":[\"tactic:TA0006-credential-access\",\"technique:T1558-steal-or-forge-kerberos-tickets\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tig\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was added to the sudo group\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"usermod\\\" \\u0026\\u0026 (exec.args_flags in [\\\"aG\\\"] || exec.args_flags in [\\\"G\\\"]) \\u0026\\u0026 exec.args_flags not in [\\\"r\\\"] \\u0026\\u0026 (exec.argv == \\\"sudo\\\" || exec.argv == \\\"wheel\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"usermod_privileged_group\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1098-account-manipulation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m77-qgu-c48\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717677423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422\",\"updateDate\":1717677424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"def-000-ipl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process checked the public IP address of the host\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"ip_lookup_domain\",\"product_tags\":[\"tactic:TA0007-discovery\",\"technique:T1016-system-network-configuration-discovery\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"known_dll_registry_key_modified\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1574-hijack-execution-flow\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mc-0xr-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714264624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714264624\",\"updateDate\":1714264624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\", ~\\\"/lib/security/*\\\", ~\\\"/usr/lib/security/*\\\", ~\\\"/lib64/security/*\\\", ~\\\"/usr/lib64/security/*\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"pam_modification_utimes\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"certutil_usage\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"chatroom_request\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1572-protocol-tunneling\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o9g-ptk-2zv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733575024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733575024\",\"updateDate\":1733575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vca-vvl-m7a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746631358513,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1746631358\",\"updateDate\":1746631358513,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z0t-qdd-lkb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1746630384644,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746630384\",\"updateDate\":1746630384644,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"ssl_certificate_tampering_chown\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1553-subvert-trust-controls\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\"] || utimes.file.path in [ ~\\\"/etc/systemd/user/**\\\", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\", ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\"])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\",\"threat-detection.policy\"],\"name\":\"systemd_modification_utimes\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1569-system-services\",\"policy:threat-detection\",\"policy:compliance\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ulc-hn1-cz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725295024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023\",\"updateDate\":1725295024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4qm-ikt-fpr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721954224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721954223\",\"updateDate\":1721954224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ocv-we5-g5y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422\",\"updateDate\":1715661423000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wt2-84b-uy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737433133000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1737433133\",\"updateDate\":1737433133000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rjm-biu-bqq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622\",\"updateDate\":1715272624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"73h-yo0-427\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725240870000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"CWS_CUSTOM-canary\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869\",\"updateDate\":1725240870000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1753453274000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"compliance.policy\"],\"name\":\"nsswitch_conf_mod_chown\",\"product_tags\":[\"tactic:TA0003-persistence\",\"technique:T1556-modify-authentication-process\",\"policy:compliance\"],\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"best-practice.policy\",\"threat-detection.policy\"],\"name\":\"package_management_in_container\",\"product_tags\":[\"tactic:TA0002-execution\",\"technique:T1059-command-and-scripting-interpreter\",\"policy:threat-detection\",\"policy:best-practice\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == ~\\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"devshm_execution\",\"product_tags\":[\"tactic:TA0005-defense-evasion\",\"technique:T1564-hide-artifacts\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"dirty_pipe_exploitation\",\"product_tags\":[\"tactic:TA0004-privilege-escalation\",\"technique:T1068-exploitation-for-privilege-escalation\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-psd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1754579371000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to a paste site\",\"enabled\":true,\"expression\":\"connect.addr.hostname in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"threat-detection.policy\"],\"name\":\"paste_site_domain\",\"product_tags\":[\"tactic:TA0011-command-and-control\",\"technique:T1105-ingress-tool-transfer\",\"policy:threat-detection\"],\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}" }, "cookies": [], "headers": [ @@ -47,8 +47,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-04T08:45:53.099Z", - "time": 2591 + "startedDateTime": "2025-10-02T12:40:49.298Z", + "time": 4009 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/frozen.json index 401fc746b1df..55b1a3c0c33d 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:16.741Z" +"2025-10-02T12:40:53.320Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/recording.har index a0477ccbfe3c..1322d30be7ee 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Workload-Protection-policies-returns-OK-response_3161339668/recording.har @@ -28,11 +28,11 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 4135, + "bodySize": 6779, "content": { "mimeType": "application/json", - "size": 4135, - "text": "{\"data\":[{\"id\":\"tq0-tji-i5m\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121\",\"policyVersion\":\"3\",\"priority\":1000000010,\"ruleCount\":226,\"updateDate\":1747597121931,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"flw-lrk-xzo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521\",\"policyVersion\":\"3\",\"priority\":1000000009,\"ruleCount\":226,\"updateDate\":1747539521946,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bod-mnz-hk1\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121\",\"policyVersion\":\"3\",\"priority\":1000000008,\"ruleCount\":226,\"updateDate\":1747525122007,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hxv-ezx-44x\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921\",\"policyVersion\":\"3\",\"priority\":1000000007,\"ruleCount\":226,\"updateDate\":1747481921965,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ahl-zxe-fbg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521\",\"policyVersion\":\"3\",\"priority\":1000000006,\"ruleCount\":226,\"updateDate\":1747467521937,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d1j-pkc-rhm\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121\",\"policyVersion\":\"3\",\"priority\":1000000005,\"ruleCount\":226,\"updateDate\":1747453121950,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qve-9uc-uih\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721\",\"policyVersion\":\"3\",\"priority\":1000000004,\"ruleCount\":226,\"updateDate\":1747438721983,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gwd-neb-qml\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321\",\"policyVersion\":\"3\",\"priority\":1000000003,\"ruleCount\":226,\"updateDate\":1747424321971,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":2,\"enabled\":false,\"monitoringRulesCount\":496,\"name\":\"Canary Custom Policy\",\"policyVersion\":\"58298\",\"priority\":1000000002,\"ruleCount\":498,\"updateDate\":1748012897594,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.43.0-rc80\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}" + "size": 6779, + "text": "{\"data\":[{\"id\":\"0qm-ldp-cdh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759403557\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403557986,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"4ul-ae4-a5f\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759403571\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403572006,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":1,\"enabled\":false,\"monitoringRulesCount\":271,\"name\":\"Canary Custom Policy\",\"pinned\":false,\"policyVersion\":\"58422\",\"ruleCount\":272,\"updateDate\":1748012897594,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"best-practice.policy\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":7,\"name\":\"Best-practice Policy\",\"pinned\":false,\"policyVersion\":\"1.51.0-rc3\",\"ruleCount\":8,\"updateDate\":1752506673000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"},\"versions\":[{\"Name\":\"1.51.0-rc3\",\"Date\":null},{\"Name\":\"1.47.0-rc2\",\"Date\":null}]}},{\"id\":\"compliance.policy\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":0,\"enabled\":true,\"monitoringRulesCount\":90,\"name\":\"Compliance Policy\",\"pinned\":false,\"policyVersion\":\"1.53.0-rc4\",\"ruleCount\":90,\"updateDate\":1753453274000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"},\"versions\":[{\"Name\":\"1.47.0-rc2\",\"Date\":null},{\"Name\":\"1.53.0-rc4\",\"Date\":null}]}},{\"id\":\"dkv-ks4-cf0\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759403561\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403561834,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"dlo-tpx-c6i\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759403556\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403556615,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"gpd-fh3-lx9\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759403571\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403571251,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ic4-3pt-11g\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759403560\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403560298,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ieh-pvl-oao\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759403557\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403557227,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"j8d-3z6-sij\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759403573\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403573915,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"kvl-3dk-tdr\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759403565\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403565216,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"rdz-vx2-obu\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759403572\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403572677,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"threat-detection.policy\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":0,\"enabled\":true,\"monitoringRulesCount\":188,\"name\":\"Threat-detection Policy\",\"pinned\":false,\"policyVersion\":\"1.54.0-rc9\",\"ruleCount\":188,\"updateDate\":1754579371000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"},\"versions\":[{\"Name\":\"1.53.0-rc8\",\"Date\":null},{\"Name\":\"1.54.0-rc9\",\"Date\":null},{\"Name\":\"1.47.1-rc3\",\"Date\":null}]}},{\"id\":\"zal-0mi-lzp\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":0,\"name\":\"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759403566\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":0,\"updateDate\":1759403566325,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}]}" }, "cookies": [], "headers": [ @@ -47,8 +47,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:16.745Z", - "time": 434 + "startedDateTime": "2025-10-02T12:40:53.321Z", + "time": 613 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/frozen.json index 1b396217641d..553daa8fae55 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/frozen.json @@ -1 +1 @@ -"2025-06-13T15:16:28.583Z" +"2025-10-02T12:40:53.938Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/recording.har index c11b9b7b31b0..4c57aecfad93 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response_2364302884/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "810ba0e7b65631fcca87ce1a0cd5f608", + "_id": "14a21b3288c27ab02f9e99699b21821b", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759408853\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 454, + "bodySize": 450, "content": { "mimeType": "application/json", - "size": 454, - "text": "{\"data\":{\"id\":\"fuv-zyk-wli\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788\",\"policyVersion\":\"1\",\"priority\":1000000013,\"ruleCount\":226,\"updateDate\":1749827789001,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 450, + "text": "{\"data\":{\"id\":\"8ia-diy-3xm\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759408853\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408854337,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:28.588Z", - "time": 738 + "startedDateTime": "2025-10-02T12:40:53.940Z", + "time": 942 }, { - "_id": "99dc0fcda47cea534559aa7cd04cd884", + "_id": "02607765e05676c37df3d0d8eaaf981c", "_order": 0, "cache": {}, "request": { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788\",\"policy_id\":\"fuv-zyk-wli\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"scope\":\"process\",\"value\":\"test_value\"}},{\"hash\":{}}],\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759408853\",\"policy_id\":\"8ia-diy-3xm\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 687, + "bodySize": 705, "content": { "mimeType": "application/json", - "size": 687, - "text": "{\"data\":{\"id\":\"f8u-th8-0er\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\"},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1749827789457,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"fuv-zyk-wli\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1749827789457,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 705, + "text": "{\"data\":{\"id\":\"ubz-diu-ppm\",\"type\":\"agent_rule\",\"attributes\":{\"actions\":[{\"set\":{\"name\":\"test_set\",\"value\":\"test_value\",\"scope\":\"process\",\"inherited\":false},\"disabled\":false},{\"hash\":{},\"disabled\":false}],\"category\":\"Process Activity\",\"creationDate\":1759408855249,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"8ia-diy-3xm\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759408853\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1759408855249,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-06-13T15:16:29.334Z", - "time": 998 + "startedDateTime": "2025-10-02T12:40:54.886Z", + "time": 888 }, { - "_id": "c8ce068a4f5fe11db6418812fbd0663a", + "_id": "4a4bd5223d4955115b5a313f5d11e9aa", "_order": 0, "cache": {}, "request": { @@ -138,10 +138,10 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"fuv-zyk-wli\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"8ia-diy-3xm\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/f8u-th8-0er" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ubz-diu-ppm" }, "response": { "bodySize": 47, @@ -163,11 +163,11 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-06-13T15:16:30.341Z", - "time": 409 + "startedDateTime": "2025-10-02T12:40:55.779Z", + "time": 477 }, { - "_id": "c4679cc9c92b495c632c46f19e9c6df4", + "_id": "eafce4631141b1099350ac3d6b523aa6", "_order": 0, "cache": {}, "request": { @@ -184,7 +184,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/f8u-th8-0er" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ubz-diu-ppm" }, "response": { "bodySize": 0, @@ -205,11 +205,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:30.756Z", - "time": 970 + "startedDateTime": "2025-10-02T12:40:56.260Z", + "time": 974 }, { - "_id": "f69fbc99c22dac203d127fde976c8a5b", + "_id": "d3e403e2f41f844523a58497aa95ff02", "_order": 0, "cache": {}, "request": { @@ -226,7 +226,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/fuv-zyk-wli" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/8ia-diy-3xm" }, "response": { "bodySize": 0, @@ -247,8 +247,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-06-13T15:16:31.732Z", - "time": 858 + "startedDateTime": "2025-10-02T12:40:57.237Z", + "time": 977 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/frozen.json index a0e506245329..1ba5b50b6219 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:20.364Z" +"2025-10-02T12:40:58.217Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/recording.har index c2f3c4d7f59a..c735d9c11998 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response_2499702243/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "ade1962b9b53011cb8e8d07602426734", + "_id": "c8159f3e334269536760235ab0d44422", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1748341520\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759408858\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 452, + "bodySize": 448, "content": { "mimeType": "application/json", - "size": 452, - "text": "{\"data\":{\"id\":\"tox-zep-tvj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1748341520\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341520649,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 448, + "text": "{\"data\":{\"id\":\"ail-tkz-glv\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759408858\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408858570,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:20.365Z", - "time": 666 + "startedDateTime": "2025-10-02T12:40:58.218Z", + "time": 812 }, { - "_id": "013b553c4fcbecefbe81cdc708823c9d", + "_id": "641b3591f4d24c1e512834993844c746", "_order": 0, "cache": {}, "request": { @@ -85,7 +85,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"tox-zep-tvj\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"ail-tkz-glv\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id" @@ -110,11 +110,11 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2025-05-27T10:25:21.033Z", - "time": 495 + "startedDateTime": "2025-10-02T12:40:59.034Z", + "time": 614 }, { - "_id": "a8a62ac5168f870287066ca2c29b04d9", + "_id": "8bbd59b3f400c2c4ab6d0591f8dc0c73", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/tox-zep-tvj" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ail-tkz-glv" }, "response": { "bodySize": 0, @@ -152,8 +152,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:21.535Z", - "time": 558 + "startedDateTime": "2025-10-02T12:40:59.652Z", + "time": 1003 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/frozen.json index 56444e649cda..76bfb87f6fe1 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:22.099Z" +"2025-10-02T12:41:00.659Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/recording.har index 845009d7d4d8..ffd810c06e22 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Bad-Request-response_639460845/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "4cf7086a01b03ab47e746a3e30c76889", + "_id": "4a286a3f1ea83d571d5737c9786908c8", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1748341522\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759408860\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 451, + "bodySize": 447, "content": { "mimeType": "application/json", - "size": 451, - "text": "{\"data\":{\"id\":\"ihh-rif-yh3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1748341522\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341522393,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 447, + "text": "{\"data\":{\"id\":\"ijr-o1n-ljg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759408860\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408861137,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:22.103Z", - "time": 668 + "startedDateTime": "2025-10-02T12:41:00.660Z", + "time": 1219 }, { - "_id": "d9cf05cb5080830d61389378cfe2123c", + "_id": "ae87bd0f130073e1040ba0318ee87e8b", "_order": 0, "cache": {}, "request": { @@ -85,10 +85,10 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"ihh-rif-yh3\",\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"ijr-o1n-ljg\",\"type\":\"policy\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ihh-rif-yh3" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ijr-o1n-ljg" }, "response": { "bodySize": 119, @@ -110,11 +110,11 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-05-27T10:25:22.776Z", - "time": 329 + "startedDateTime": "2025-10-02T12:41:01.884Z", + "time": 970 }, { - "_id": "830655ac65c12083eeec793a8d180584", + "_id": "ffa1405e9e878e4dc3522f3e9228baf2", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ihh-rif-yh3" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ijr-o1n-ljg" }, "response": { "bodySize": 0, @@ -152,8 +152,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:23.114Z", - "time": 613 + "startedDateTime": "2025-10-02T12:41:02.859Z", + "time": 928 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/frozen.json index 3c9de23ee0d5..e1d4e3af69ed 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:23.729Z" +"2025-10-02T12:41:03.791Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/recording.har index 4499c421bda9..a0ffd46554ee 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-Not-Found-response_794901262/recording.har @@ -57,8 +57,8 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-05-27T10:25:23.731Z", - "time": 438 + "startedDateTime": "2025-10-02T12:41:03.793Z", + "time": 712 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/frozen.json index facd45025eff..8b64ccd44dd3 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/frozen.json @@ -1 +1 @@ -"2025-05-27T10:25:24.176Z" +"2025-10-02T12:41:04.509Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/recording.har index 5cce56dcb754..e06bafae3525 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Workload-Protection-policy-returns-OK-response_2319664561/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "b8057113460a80e3316dc5b4a9e4c84f", + "_id": "7f82246907d5ad37281ba840a6915e67", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1748341524\"},\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1759408864\"},\"type\":\"policy\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" }, "response": { - "bodySize": 443, + "bodySize": 439, "content": { "mimeType": "application/json", - "size": 443, - "text": "{\"data\":{\"id\":\"qn1-4by-5zr\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1748341524\",\"policyVersion\":\"1\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341524459,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 439, + "text": "{\"data\":{\"id\":\"ofc-c9m-z0m\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:staging\"]],\"monitoringRulesCount\":7,\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1759408864\",\"pinned\":false,\"policyVersion\":\"1\",\"ruleCount\":8,\"updateDate\":1759408864996,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:24.179Z", - "time": 552 + "startedDateTime": "2025-10-02T12:41:04.510Z", + "time": 1027 }, { - "_id": "df01da6df4f4c08a319c28cfe4b95eff", + "_id": "ccae3b3c786a5591652fa7975354087f", "_order": 0, "cache": {}, "request": { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"qn1-4by-5zr\",\"type\":\"policy\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"ofc-c9m-z0m\",\"type\":\"policy\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qn1-4by-5zr" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ofc-c9m-z0m" }, "response": { - "bodySize": 410, + "bodySize": 399, "content": { "mimeType": "application/json", - "size": 410, - "text": "{\"data\":{\"id\":\"qn1-4by-5zr\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000011,\"ruleCount\":226,\"updateDate\":1748341525121,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 399, + "text": "{\"data\":{\"id\":\"ofc-c9m-z0m\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":0,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":0,\"name\":\"updated_agent_policy\",\"pinned\":false,\"policyVersion\":\"2\",\"ruleCount\":0,\"updateDate\":1759408866292,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-05-27T10:25:24.733Z", - "time": 749 + "startedDateTime": "2025-10-02T12:41:05.542Z", + "time": 1433 }, { - "_id": "eb6721fd8733df81892c7cdc7b31f7b4", + "_id": "1031d64ebf0717bce7105936df4efd0e", "_order": 0, "cache": {}, "request": { @@ -131,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qn1-4by-5zr" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ofc-c9m-z0m" }, "response": { "bodySize": 0, @@ -152,8 +152,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-05-27T10:25:25.492Z", - "time": 603 + "startedDateTime": "2025-10-02T12:41:06.979Z", + "time": 896 } ], "pages": [], diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts index 9925d3c755f2..ad76bfbc9f7c 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts @@ -17,6 +17,7 @@ const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = { description: "My Agent rule", enabled: true, expression: `exec.file.name == "sh"`, + agentVersion: "> 7.60", filters: [], name: "examplecsmthreat", policyId: POLICY_DATA_ID, diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.ts b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.ts index 7d844be53065..85a7723db31f 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.ts +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.ts @@ -27,6 +27,7 @@ const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = { name: "test_set", value: "test_value", scope: "process", + inherited: true, }, }, { diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.ts b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.ts new file mode 100644 index 000000000000..18748e8c5767 --- /dev/null +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.ts @@ -0,0 +1,47 @@ +/** + * Create a Workload Protection agent rule with set action with expression returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + +const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = { + body: { + data: { + attributes: { + description: "My Agent rule with set action with expression", + enabled: true, + expression: `exec.file.name == "sh"`, + filters: [], + name: "examplecsmthreat", + policyId: POLICY_DATA_ID, + productTags: [], + actions: [ + { + set: { + name: "test_set", + expression: "open.file.path", + defaultValue: "/dev/null", + scope: "process", + }, + }, + ], + }, + type: "agent_rule", + }, + }, +}; + +apiInstance + .createCSMThreatsAgentRule(params) + .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/features/v2/csm_threats.feature b/features/v2/csm_threats.feature index 4783aea35e11..18d73da57551 100644 --- a/features/v2/csm_threats.feature +++ b/features/v2/csm_threats.feature @@ -57,7 +57,7 @@ Feature: CSM Threats Scenario: Create a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "agent_version": "> 7.60", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @@ -65,7 +65,15 @@ Feature: CSM Threats Scenario: Create a Workload Protection agent rule with set action returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule with set action", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "value": "test_value", "scope": "process"}}, {"hash": {}}]}, "type": "agent_rule"}} + And body with value {"data": {"attributes": {"description": "My Agent rule with set action", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "value": "test_value", "scope": "process", "inherited": true}}, {"hash": {}}]}, "type": "agent_rule"}} + When the request is sent + Then the response status is 200 OK + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a Workload Protection agent rule with set action with expression returns "OK" response + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule with set action with expression", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "expression": "open.file.path", "default_value": "/dev/null", "scope": "process"}}]}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @@ -152,7 +160,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found @@ -167,7 +175,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found diff --git a/packages/datadog-api-client-v2/index.ts b/packages/datadog-api-client-v2/index.ts index ac7f4793f391..fa11310609fc 100644 --- a/packages/datadog-api-client-v2/index.ts +++ b/packages/datadog-api-client-v2/index.ts @@ -1380,6 +1380,7 @@ export { CloudWorkloadSecurityAgentPolicyUpdateAttributes } from "./models/Cloud export { CloudWorkloadSecurityAgentPolicyUpdateData } from "./models/CloudWorkloadSecurityAgentPolicyUpdateData"; export { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; export { CloudWorkloadSecurityAgentPolicyUpdateRequest } from "./models/CloudWorkloadSecurityAgentPolicyUpdateRequest"; +export { CloudWorkloadSecurityAgentPolicyVersion } from "./models/CloudWorkloadSecurityAgentPolicyVersion"; export { CloudWorkloadSecurityAgentRuleAction } from "./models/CloudWorkloadSecurityAgentRuleAction"; export { CloudWorkloadSecurityAgentRuleActionMetadata } from "./models/CloudWorkloadSecurityAgentRuleActionMetadata"; export { CloudWorkloadSecurityAgentRuleActionSet } from "./models/CloudWorkloadSecurityAgentRuleActionSet"; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts index e1ab30e82aab..9f43f22f6507 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts @@ -4,6 +4,7 @@ * Copyright 2020-Present Datadog, Inc. */ import { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; +import { CloudWorkloadSecurityAgentPolicyVersion } from "./CloudWorkloadSecurityAgentPolicyVersion"; import { AttributeTypeMap } from "../../datadog-api-client-common/util"; @@ -47,6 +48,10 @@ export class CloudWorkloadSecurityAgentPolicyAttributes { * The name of the policy */ "name"?: string; + /** + * Whether the policy is pinned + */ + "pinned"?: boolean; /** * The version of the policy */ @@ -71,6 +76,10 @@ export class CloudWorkloadSecurityAgentPolicyAttributes { * The attributes of the user who last updated the policy */ "updater"?: CloudWorkloadSecurityAgentPolicyUpdaterAttributes; + /** + * The versions of the policy + */ + "versions"?: Array; /** * A container for additional, undeclared properties. @@ -127,6 +136,10 @@ export class CloudWorkloadSecurityAgentPolicyAttributes { baseName: "name", type: "string", }, + pinned: { + baseName: "pinned", + type: "boolean", + }, policyVersion: { baseName: "policyVersion", type: "string", @@ -155,6 +168,10 @@ export class CloudWorkloadSecurityAgentPolicyAttributes { baseName: "updater", type: "CloudWorkloadSecurityAgentPolicyUpdaterAttributes", }, + versions: { + baseName: "versions", + type: "Array", + }, additionalProperties: { baseName: "additionalProperties", type: "{ [key: string]: any; }", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyVersion.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyVersion.ts new file mode 100644 index 000000000000..ab00944e8ef5 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyVersion.ts @@ -0,0 +1,60 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * The versions of the policy + */ +export class CloudWorkloadSecurityAgentPolicyVersion { + /** + * The date and time the version was created + */ + "date"?: string; + /** + * The version of the policy + */ + "name"?: string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + date: { + baseName: "Date", + type: "string", + }, + name: { + baseName: "Name", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyVersion.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleActionSet.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleActionSet.ts index 41612c9b5763..f1130cfd2458 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleActionSet.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleActionSet.ts @@ -11,27 +11,39 @@ import { AttributeTypeMap } from "../../datadog-api-client-common/util"; */ export class CloudWorkloadSecurityAgentRuleActionSet { /** - * Whether the value should be appended to the field + * Whether the value should be appended to the field. */ "append"?: boolean; + /** + * The default value of the set action + */ + "defaultValue"?: string; + /** + * The expression of the set action. + */ + "expression"?: string; /** * The field of the set action */ "field"?: string; + /** + * Whether the value should be inherited. + */ + "inherited"?: boolean; /** * The name of the set action */ "name"?: string; /** - * The scope of the set action + * The scope of the set action. */ "scope"?: string; /** - * The size of the set action + * The size of the set action. */ "size"?: number; /** - * The time to live of the set action + * The time to live of the set action. */ "ttl"?: number; /** @@ -59,10 +71,22 @@ export class CloudWorkloadSecurityAgentRuleActionSet { baseName: "append", type: "boolean", }, + defaultValue: { + baseName: "default_value", + type: "string", + }, + expression: { + baseName: "expression", + type: "string", + }, field: { baseName: "field", type: "string", }, + inherited: { + baseName: "inherited", + type: "boolean", + }, name: { baseName: "name", type: "string", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts index d914ad3d0807..67790ed4bb17 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts @@ -77,6 +77,10 @@ export class CloudWorkloadSecurityAgentRuleAttributes { * The list of product tags associated with the rule */ "productTags"?: Array; + /** + * Whether the rule is silent. + */ + "silent"?: boolean; /** * The ID of the user who updated the rule */ @@ -179,6 +183,10 @@ export class CloudWorkloadSecurityAgentRuleAttributes { baseName: "product_tags", type: "Array", }, + silent: { + baseName: "silent", + type: "boolean", + }, updateAuthorUuId: { baseName: "updateAuthorUuId", type: "string", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts index a550b3457096..507581780946 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts @@ -16,7 +16,11 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "actions"?: Array; /** - * The blocking policies that the rule belongs to + * Constrain the rule to specific versions of the Datadog Agent. + */ + "agentVersion"?: string; + /** + * The blocking policies that the rule belongs to. */ "blocking"?: Array; /** @@ -24,11 +28,11 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "description"?: string; /** - * The disabled policies that the rule belongs to + * The disabled policies that the rule belongs to. */ "disabled"?: Array; /** - * Whether the Agent rule is enabled + * Whether the Agent rule is enabled. */ "enabled"?: boolean; /** @@ -36,11 +40,11 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "expression": string; /** - * The platforms the Agent rule is supported on + * The platforms the Agent rule is supported on. */ "filters"?: Array; /** - * The monitoring policies that the rule belongs to + * The monitoring policies that the rule belongs to. */ "monitoring"?: Array; /** @@ -48,13 +52,17 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "name": string; /** - * The ID of the policy where the Agent rule is saved + * The ID of the policy where the Agent rule is saved. */ "policyId"?: string; /** - * The list of product tags associated with the rule + * The list of product tags associated with the rule. */ "productTags"?: Array; + /** + * Whether the rule is silent. + */ + "silent"?: boolean; /** * A container for additional, undeclared properties. @@ -76,6 +84,10 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { baseName: "actions", type: "Array", }, + agentVersion: { + baseName: "agent_version", + type: "string", + }, blocking: { baseName: "blocking", type: "Array", @@ -118,6 +130,10 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { baseName: "product_tags", type: "Array", }, + silent: { + baseName: "silent", + type: "boolean", + }, additionalProperties: { baseName: "additionalProperties", type: "{ [key: string]: any; }", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts index 0cfbbb5765b5..e1fc615dbcfd 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts @@ -15,6 +15,10 @@ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { * The array of actions the rule can perform if triggered */ "actions"?: Array; + /** + * Constrain the rule to specific versions of the Datadog Agent + */ + "agentVersion"?: string; /** * The blocking policies that the rule belongs to */ @@ -47,6 +51,10 @@ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { * The list of product tags associated with the rule */ "productTags"?: Array; + /** + * Whether the rule is silent. + */ + "silent"?: boolean; /** * A container for additional, undeclared properties. @@ -68,6 +76,10 @@ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { baseName: "actions", type: "Array", }, + agentVersion: { + baseName: "agent_version", + type: "string", + }, blocking: { baseName: "blocking", type: "Array", @@ -100,6 +112,10 @@ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { baseName: "product_tags", type: "Array", }, + silent: { + baseName: "silent", + type: "boolean", + }, additionalProperties: { baseName: "additionalProperties", type: "{ [key: string]: any; }", diff --git a/packages/datadog-api-client-v2/models/ObjectSerializer.ts b/packages/datadog-api-client-v2/models/ObjectSerializer.ts index 24806d701347..014c8b0ba112 100644 --- a/packages/datadog-api-client-v2/models/ObjectSerializer.ts +++ b/packages/datadog-api-client-v2/models/ObjectSerializer.ts @@ -372,6 +372,7 @@ import { CloudWorkloadSecurityAgentPolicyUpdateAttributes } from "./CloudWorkloa import { CloudWorkloadSecurityAgentPolicyUpdateData } from "./CloudWorkloadSecurityAgentPolicyUpdateData"; import { CloudWorkloadSecurityAgentPolicyUpdateRequest } from "./CloudWorkloadSecurityAgentPolicyUpdateRequest"; import { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; +import { CloudWorkloadSecurityAgentPolicyVersion } from "./CloudWorkloadSecurityAgentPolicyVersion"; import { CloudWorkloadSecurityAgentRuleAction } from "./CloudWorkloadSecurityAgentRuleAction"; import { CloudWorkloadSecurityAgentRuleActionMetadata } from "./CloudWorkloadSecurityAgentRuleActionMetadata"; import { CloudWorkloadSecurityAgentRuleActionSet } from "./CloudWorkloadSecurityAgentRuleActionSet"; @@ -4364,6 +4365,8 @@ const typeMap: { [index: string]: any } = { CloudWorkloadSecurityAgentPolicyUpdateRequest, CloudWorkloadSecurityAgentPolicyUpdaterAttributes: CloudWorkloadSecurityAgentPolicyUpdaterAttributes, + CloudWorkloadSecurityAgentPolicyVersion: + CloudWorkloadSecurityAgentPolicyVersion, CloudWorkloadSecurityAgentRuleAction: CloudWorkloadSecurityAgentRuleAction, CloudWorkloadSecurityAgentRuleActionMetadata: CloudWorkloadSecurityAgentRuleActionMetadata,