diff --git a/.apigentools-info b/.apigentools-info index c29e3ad0e9..2fa0213d8c 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-09 14:41:37.186745", - "spec_repo_commit": "f0e5e32f" + "regenerated": "2025-05-09 16:46:47.466283", + "spec_repo_commit": "38260775" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-09 14:41:37.315993", - "spec_repo_commit": "f0e5e32f" + "regenerated": "2025-05-09 16:46:47.481169", + "spec_repo_commit": "38260775" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index e1a404d9a7..689bebb1b4 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -216,13 +216,29 @@ components: schema: type: string CloudWorkloadSecurityAgentRuleID: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3b5-v82-ns6 in: path name: agent_rule_id required: true schema: type: string + CloudWorkloadSecurityPathAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: path + name: policy_id + required: true + schema: + type: string + CloudWorkloadSecurityQueryAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: query + name: policy_id + required: false + schema: + type: string ConfluentAccountID: description: Confluent Account ID. in: path @@ -7212,8 +7228,240 @@ components: type: string x-enum-varnames: - CLOUD_CONFIGURATION + CloudWorkloadSecurityAgentPoliciesListResponse: + description: Response object that includes a list of Agent policies + properties: + data: + description: A list of Agent policy objects + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: array + type: object + CloudWorkloadSecurityAgentPolicyAttributes: + description: A Cloud Workload Security Agent policy returned by the API + properties: + blockingRulesCount: + description: The number of rules with the blocking feature in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + datadogManaged: + description: Whether the policy is managed by Datadog + example: false + type: boolean + description: + description: The description of the policy + example: My agent policy + type: string + disabledRulesCount: + description: The number of rules that are disabled in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + enabled: + description: Whether the Agent policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + monitoringRulesCount: + description: The number of rules in the monitoring state in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + name: + description: The name of the policy + example: my_agent_policy + type: string + policyVersion: + description: The version of the policy + example: '1' + type: string + priority: + description: The priority of the policy + example: 10 + format: int64 + type: integer + ruleCount: + description: The number of rules in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + updateDate: + description: Timestamp in milliseconds when the policy was last updated + example: 1624366480320 + format: int64 + type: integer + updatedAt: + description: When the policy was last updated, timestamp in milliseconds + example: 1624366480320 + format: int64 + type: integer + updater: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + type: object + CloudWorkloadSecurityAgentPolicyCreateAttributes: + description: Create a new Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + required: + - name + type: object + CloudWorkloadSecurityAgentPolicyCreateData: + description: Object for a single Agent rule + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateAttributes' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyCreateRequest: + description: Request object that includes the Agent policy to create + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyAttributes' + id: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + type: object + CloudWorkloadSecurityAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + CloudWorkloadSecurityAgentPolicyResponse: + description: Response object that includes an Agent policy + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: object + CloudWorkloadSecurityAgentPolicyType: + default: policy + description: The type of the resource, must always be `policy` + enum: + - policy + example: policy + type: string + x-enum-varnames: + - POLICY + CloudWorkloadSecurityAgentPolicyUpdateAttributes: + description: Update an existing Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + type: object + CloudWorkloadSecurityAgentPolicyUpdateData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateAttributes' + id: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyID' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyUpdateRequest: + description: Request object that includes the Agent policy with the attributes + to update + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyUpdaterAttributes: + description: The attributes of the user who last updated the policy + properties: + handle: + description: The handle of the user + example: datadog.user@example.com + type: string + name: + description: The name of the user + example: Datadog User + nullable: true + type: string + type: object CloudWorkloadSecurityAgentRuleAction: - description: The action the rule can perform if triggered. + description: The action the rule can perform if triggered properties: filter: description: SECL expression used to target the container to apply the action @@ -7223,77 +7471,82 @@ components: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' type: object CloudWorkloadSecurityAgentRuleActions: - description: The array of actions the rule can perform if triggered. + description: The array of actions the rule can perform if triggered items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAction' nullable: true type: array CloudWorkloadSecurityAgentRuleAttributes: - description: A Cloud Workload Security Agent rule returned by the API. + description: A Cloud Workload Security Agent rule returned by the API properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' agentConstraint: - description: The version of the agent. + description: The version of the Agent type: string category: - description: The category of the Agent rule. + description: The category of the Agent rule example: Process Activity type: string creationAuthorUuId: - description: The ID of the user who created the rule. + description: The ID of the user who created the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string creationDate: - description: When the Agent rule was created, timestamp in milliseconds. + description: When the Agent rule was created, timestamp in milliseconds example: 1624366480320 format: int64 type: integer creator: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreatorAttributes' defaultRule: - description: Whether the rule is included by default. + description: Whether the rule is included by default example: false type: boolean description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array name: - description: The name of the Agent rule. + description: The name of the Agent rule example: my_agent_rule type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array updateAuthorUuId: - description: The ID of the user who updated the rule. + description: The ID of the user who updated the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string updateDate: - description: Timestamp in milliseconds when the Agent rule was last updated. + description: Timestamp in milliseconds when the Agent rule was last updated example: 1624366480320 format: int64 type: integer updatedAt: - description: When the Agent rule was last updated, timestamp in milliseconds. + description: When the Agent rule was last updated, timestamp in milliseconds example: 1624366480320 format: int64 type: integer updater: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdaterAttributes' version: - description: The version of the Agent rule. + description: The version of the Agent rule example: 23 format: int64 type: integer @@ -7306,15 +7559,15 @@ components: example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array @@ -7322,12 +7575,21 @@ components: description: The name of the Agent rule. example: my_agent_rule type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b + type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array required: - name - expression type: object CloudWorkloadSecurityAgentRuleCreateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateAttributes' @@ -7338,7 +7600,7 @@ components: - type type: object CloudWorkloadSecurityAgentRuleCreateRequest: - description: Request object that includes the Agent rule to create. + description: Request object that includes the Agent rule to create properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateData' @@ -7346,50 +7608,50 @@ components: - data type: object CloudWorkloadSecurityAgentRuleCreatorAttributes: - description: The attributes of the user who created the Agent rule. + description: The attributes of the user who created the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRuleData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAttributes' id: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' type: object CloudWorkloadSecurityAgentRuleID: - description: The ID of the agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string CloudWorkloadSecurityAgentRuleKill: description: Kill system call applied on the container matching the rule properties: signal: - description: Supported signals for the kill system call. + description: Supported signals for the kill system call type: string type: object CloudWorkloadSecurityAgentRuleResponse: - description: Response object that includes an Agent rule. + description: Response object that includes an Agent rule properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: object CloudWorkloadSecurityAgentRuleType: default: agent_rule - description: The type of the resource. The value should always be `agent_rule`. + description: The type of the resource, must always be `agent_rule` enum: - agent_rule example: agent_rule @@ -7397,23 +7659,32 @@ components: x-enum-varnames: - AGENT_RULE CloudWorkloadSecurityAgentRuleUpdateAttributes: - description: Update an existing Cloud Workload Security Agent rule. + description: Update an existing Cloud Workload Security Agent rule properties: description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b + type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array type: object CloudWorkloadSecurityAgentRuleUpdateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateAttributes' @@ -7427,7 +7698,7 @@ components: type: object CloudWorkloadSecurityAgentRuleUpdateRequest: description: Request object that includes the Agent rule with the attributes - to update. + to update properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateData' @@ -7435,23 +7706,23 @@ components: - data type: object CloudWorkloadSecurityAgentRuleUpdaterAttributes: - description: The attributes of the user who last updated the Agent rule. + description: The attributes of the user who last updated the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRulesListResponse: - description: Response object that includes a list of Agent rule. + description: Response object that includes a list of Agent rule properties: data: - description: A list of Agent rules objects. + description: A list of Agent rules objects items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: array @@ -52399,8 +52670,10 @@ paths: x-terraform-resource: appsec_waf_exclusion_filter /api/v2/remote_config/products/cws/agent_rules: get: - description: Get the list of Cloud Security Management Threats Agent rules. + description: Get the list of Cloud Security Management Threats Agent rules operationId: ListCSMThreatsAgentRules + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -52417,14 +52690,14 @@ paths: - CSM Threats post: description: Create a new Cloud Security Management Threats Agent rule with - the given parameters. + the given parameters operationId: CreateCSMThreatsAgentRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -52447,10 +52720,11 @@ paths: x-codegen-request-body-name: body /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Cloud Security Management Threats Agent rule. + description: Delete a specific Cloud Security Management Threats Agent rule operationId: DeleteCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '204': description: OK @@ -52465,10 +52739,11 @@ paths: - CSM Threats get: description: Get the details of a specific Cloud Security Management Threats - Agent rule. + Agent rule operationId: GetCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -52492,12 +52767,13 @@ paths: operationId: UpdateCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': @@ -52520,6 +52796,54 @@ paths: tags: - CSM Threats x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/policy: + get: + description: Get the list of Cloud Security Management Threats Agent policies + operationId: ListCSMThreatsAgentPolicies + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPoliciesListResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get all CSM Threats Agent policies + tags: + - CSM Threats + post: + description: Create a new Cloud Security Management Threats Agent policy with + the given parameters + operationId: CreateCSMThreatsAgentPolicy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateRequest' + description: The definition of the new Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '409': + $ref: '#/components/responses/ConflictResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Create a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/cws/policy/download: get: description: 'The download endpoint generates a CSM Threats policy file from @@ -52545,6 +52869,83 @@ paths: summary: Get the latest CSM Threats policy tags: - CSM Threats + /api/v2/remote_config/products/cws/policy/{policy_id}: + delete: + description: Delete a specific Cloud Security Management Threats Agent policy + operationId: DeleteCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '202': + description: OK + '204': + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Delete a CSM Threats Agent policy + tags: + - CSM Threats + get: + description: Get the details of a specific Cloud Security Management Threats + Agent policy + operationId: GetCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get a CSM Threats Agent policy + tags: + - CSM Threats + patch: + description: 'Update a specific Cloud Security Management Threats Agent policy. + + Returns the Agent policy object when the request is successful.' + operationId: UpdateCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateRequest' + description: New definition of the Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '409': + $ref: '#/components/responses/ConcurrentModificationResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Update a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/obs_pipelines/pipelines: get: description: Retrieve a list of pipelines. @@ -55501,7 +55902,7 @@ paths: - security_monitoring_notification_profiles_write /api/v2/security_monitoring/cloud_workload_security/agent_rules: get: - description: Get the list of Agent rules. + description: Get the list of Agent rules operationId: ListCloudWorkloadSecurityAgentRules responses: '200': @@ -55529,7 +55930,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -55556,7 +55957,7 @@ paths: - security_monitoring_cws_agent_rules_write /api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Agent rule. + description: Delete a specific Agent rule operationId: DeleteCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -55577,7 +55978,7 @@ paths: permissions: - security_monitoring_cws_agent_rules_write get: - description: Get the details of a specific Agent rule. + description: Get the details of a specific Agent rule operationId: GetCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -55613,7 +56014,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index 9ab4d6c1a2..87b9e927ce 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -2748,6 +2748,90 @@ datadog\_api\_client.v2.model.cloud\_configuration\_rule\_type module :members: :show-inheritance: +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policies\_list\_response module +----------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policies_list_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_attributes module +----------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_create\_attributes module +------------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_create\_data module +------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_create\_request module +---------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_request + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_data module +----------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_response module +--------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_type module +----------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_type + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_update\_attributes module +------------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_update\_data module +------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_update\_request module +---------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_request + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_policy\_updater\_attributes module +-------------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes + :members: + :show-inheritance: + datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_rule\_action module ----------------------------------------------------------------------------------- diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.py b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.py new file mode 100644 index 0000000000..3e0089b028 --- /dev/null +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.py @@ -0,0 +1,39 @@ +""" +Create a CSM Threats Agent policy returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_attributes import ( + CloudWorkloadSecurityAgentPolicyCreateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_data import ( + CloudWorkloadSecurityAgentPolicyCreateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_request import ( + CloudWorkloadSecurityAgentPolicyCreateRequest, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import CloudWorkloadSecurityAgentPolicyType + +body = CloudWorkloadSecurityAgentPolicyCreateRequest( + data=CloudWorkloadSecurityAgentPolicyCreateData( + attributes=CloudWorkloadSecurityAgentPolicyCreateAttributes( + description="My agent policy", + enabled=True, + host_tags_lists=[ + [ + "env:test", + ], + ], + name="my_agent_policy", + ), + type=CloudWorkloadSecurityAgentPolicyType.POLICY, + ), +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CSMThreatsApi(api_client) + response = api_instance.create_csm_threats_agent_policy(body=body) + + print(response) diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.py b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.py index 527135c847..57e97a338e 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.py +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.py @@ -2,6 +2,7 @@ Create a CSM Threats Agent rule returns "OK" response """ +from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import ( @@ -15,16 +16,19 @@ ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + body = CloudWorkloadSecurityAgentRuleCreateRequest( data=CloudWorkloadSecurityAgentRuleCreateData( attributes=CloudWorkloadSecurityAgentRuleCreateAttributes( description="My Agent rule", enabled=True, expression='exec.file.name == "sh"', - filters=[ - 'os == "linux"', - ], + filters=[], name="examplecsmthreat", + policy_id=POLICY_DATA_ID, + product_tags=[], ), type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, ), diff --git a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.py b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.py index 4a700fcdbe..6f8256a45f 100644 --- a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.py +++ b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.py @@ -18,9 +18,10 @@ body = CloudWorkloadSecurityAgentRuleCreateRequest( data=CloudWorkloadSecurityAgentRuleCreateData( attributes=CloudWorkloadSecurityAgentRuleCreateAttributes( - description="Test Agent rule", + description="My Agent rule", enabled=True, expression='exec.file.name == "sh"', + filters=[], name="examplecsmthreat", ), type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.py b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.py new file mode 100644 index 0000000000..d1e5de817d --- /dev/null +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.py @@ -0,0 +1,17 @@ +""" +Delete a CSM Threats Agent policy returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi + +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CSMThreatsApi(api_client) + api_instance.delete_csm_threats_agent_policy( + policy_id=POLICY_DATA_ID, + ) diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.py b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.py index 5568cca3c8..bb71c986c6 100644 --- a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.py +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.py @@ -9,9 +9,13 @@ # there is a valid "agent_rule_rc" in the system AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = CSMThreatsApi(api_client) api_instance.delete_csm_threats_agent_rule( agent_rule_id=AGENT_RULE_DATA_ID, + policy_id=POLICY_DATA_ID, ) diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.py b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.py new file mode 100644 index 0000000000..c3997548cf --- /dev/null +++ b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.py @@ -0,0 +1,19 @@ +""" +Get a CSM Threats Agent policy returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi + +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CSMThreatsApi(api_client) + response = api_instance.get_csm_threats_agent_policy( + policy_id=POLICY_DATA_ID, + ) + + print(response) diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentRule.py b/examples/v2/csm-threats/GetCSMThreatsAgentRule.py index ec41ed3d1b..2e6157715e 100644 --- a/examples/v2/csm-threats/GetCSMThreatsAgentRule.py +++ b/examples/v2/csm-threats/GetCSMThreatsAgentRule.py @@ -9,11 +9,15 @@ # there is a valid "agent_rule_rc" in the system AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = CSMThreatsApi(api_client) response = api_instance.get_csm_threats_agent_rule( agent_rule_id=AGENT_RULE_DATA_ID, + policy_id=POLICY_DATA_ID, ) print(response) diff --git a/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.py b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.py new file mode 100644 index 0000000000..22b9e4a49b --- /dev/null +++ b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.py @@ -0,0 +1,13 @@ +""" +Get all CSM Threats Agent policies returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CSMThreatsApi(api_client) + response = api_instance.list_csm_threats_agent_policies() + + print(response) diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.py b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.py new file mode 100644 index 0000000000..9eda2afff3 --- /dev/null +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.py @@ -0,0 +1,44 @@ +""" +Update a CSM Threats Agent policy returns "OK" response +""" + +from os import environ +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import CloudWorkloadSecurityAgentPolicyType +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_data import ( + CloudWorkloadSecurityAgentPolicyUpdateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_request import ( + CloudWorkloadSecurityAgentPolicyUpdateRequest, +) + +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + +body = CloudWorkloadSecurityAgentPolicyUpdateRequest( + data=CloudWorkloadSecurityAgentPolicyUpdateData( + attributes=CloudWorkloadSecurityAgentPolicyUpdateAttributes( + description="Updated agent policy", + enabled=True, + host_tags_lists=[ + [ + "env:test", + ], + ], + name="updated_agent_policy", + ), + id=POLICY_DATA_ID, + type=CloudWorkloadSecurityAgentPolicyType.POLICY, + ), +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = CSMThreatsApi(api_client) + response = api_instance.update_csm_threats_agent_policy(policy_id=POLICY_DATA_ID, body=body) + + print(response) diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.py b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.py index 1d5c8bb27e..586c16121c 100644 --- a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.py +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.py @@ -19,21 +19,28 @@ # there is a valid "agent_rule_rc" in the system AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = environ["POLICY_DATA_ID"] + body = CloudWorkloadSecurityAgentRuleUpdateRequest( data=CloudWorkloadSecurityAgentRuleUpdateData( attributes=CloudWorkloadSecurityAgentRuleUpdateAttributes( - description="Test Agent rule", + description="My Agent rule", enabled=True, expression='exec.file.name == "sh"', + policy_id=POLICY_DATA_ID, + product_tags=[], ), - type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, id=AGENT_RULE_DATA_ID, + type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = CSMThreatsApi(api_client) - response = api_instance.update_csm_threats_agent_rule(agent_rule_id=AGENT_RULE_DATA_ID, body=body) + response = api_instance.update_csm_threats_agent_rule( + agent_rule_id=AGENT_RULE_DATA_ID, policy_id=POLICY_DATA_ID, body=body + ) print(response) diff --git a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.py b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.py index 75bfd5cf32..1cd780c010 100644 --- a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.py +++ b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.py @@ -22,12 +22,11 @@ body = CloudWorkloadSecurityAgentRuleUpdateRequest( data=CloudWorkloadSecurityAgentRuleUpdateData( attributes=CloudWorkloadSecurityAgentRuleUpdateAttributes( - description="Test Agent rule", - enabled=True, + description="Updated Agent rule", expression='exec.file.name == "sh"', ), - type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, id=AGENT_RULE_DATA_ID, + type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, ), ) diff --git a/src/datadog_api_client/v2/api/csm_threats_api.py b/src/datadog_api_client/v2/api/csm_threats_api.py index d516dae2fe..d32299f674 100644 --- a/src/datadog_api_client/v2/api/csm_threats_api.py +++ b/src/datadog_api_client/v2/api/csm_threats_api.py @@ -3,12 +3,14 @@ # Copyright 2019-Present Datadog, Inc. from __future__ import annotations -from typing import Any, Dict +from typing import Any, Dict, Union from datadog_api_client.api_client import ApiClient, Endpoint as _Endpoint from datadog_api_client.configuration import Configuration from datadog_api_client.model_utils import ( file_type, + UnsetType, + unset, ) from datadog_api_client.v2.model.cloud_workload_security_agent_rules_list_response import ( CloudWorkloadSecurityAgentRulesListResponse, @@ -22,6 +24,18 @@ from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_request import ( CloudWorkloadSecurityAgentRuleUpdateRequest, ) +from datadog_api_client.v2.model.cloud_workload_security_agent_policies_list_response import ( + CloudWorkloadSecurityAgentPoliciesListResponse, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_response import ( + CloudWorkloadSecurityAgentPolicyResponse, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_request import ( + CloudWorkloadSecurityAgentPolicyCreateRequest, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_request import ( + CloudWorkloadSecurityAgentPolicyUpdateRequest, +) class CSMThreatsApi: @@ -54,6 +68,26 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._create_csm_threats_agent_policy_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentPolicyResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy", + "operation_id": "create_csm_threats_agent_policy", + "http_method": "POST", + "version": "v2", + }, + params_map={ + "body": { + "required": True, + "openapi_types": (CloudWorkloadSecurityAgentPolicyCreateRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + self._create_csm_threats_agent_rule_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRuleResponse,), @@ -97,6 +131,29 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._delete_csm_threats_agent_policy_endpoint = _Endpoint( + settings={ + "response_type": None, + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy/{policy_id}", + "operation_id": "delete_csm_threats_agent_policy", + "http_method": "DELETE", + "version": "v2", + }, + params_map={ + "policy_id": { + "required": True, + "openapi_types": (str,), + "attribute": "policy_id", + "location": "path", + }, + }, + headers_map={ + "accept": ["*/*"], + }, + api_client=api_client, + ) + self._delete_csm_threats_agent_rule_endpoint = _Endpoint( settings={ "response_type": None, @@ -113,6 +170,11 @@ def __init__(self, api_client=None): "attribute": "agent_rule_id", "location": "path", }, + "policy_id": { + "openapi_types": (str,), + "attribute": "policy_id", + "location": "query", + }, }, headers_map={ "accept": ["*/*"], @@ -175,6 +237,29 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._get_csm_threats_agent_policy_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentPolicyResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy/{policy_id}", + "operation_id": "get_csm_threats_agent_policy", + "http_method": "GET", + "version": "v2", + }, + params_map={ + "policy_id": { + "required": True, + "openapi_types": (str,), + "attribute": "policy_id", + "location": "path", + }, + }, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._get_csm_threats_agent_rule_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRuleResponse,), @@ -191,6 +276,11 @@ def __init__(self, api_client=None): "attribute": "agent_rule_id", "location": "path", }, + "policy_id": { + "openapi_types": (str,), + "attribute": "policy_id", + "location": "query", + }, }, headers_map={ "accept": ["application/json"], @@ -214,6 +304,22 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._list_csm_threats_agent_policies_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentPoliciesListResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy", + "operation_id": "list_csm_threats_agent_policies", + "http_method": "GET", + "version": "v2", + }, + params_map={}, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._list_csm_threats_agent_rules_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRulesListResponse,), @@ -223,7 +329,13 @@ def __init__(self, api_client=None): "http_method": "GET", "version": "v2", }, - params_map={}, + params_map={ + "policy_id": { + "openapi_types": (str,), + "attribute": "policy_id", + "location": "query", + }, + }, headers_map={ "accept": ["application/json"], }, @@ -256,6 +368,32 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._update_csm_threats_agent_policy_endpoint = _Endpoint( + settings={ + "response_type": (CloudWorkloadSecurityAgentPolicyResponse,), + "auth": ["apiKeyAuth", "appKeyAuth"], + "endpoint_path": "/api/v2/remote_config/products/cws/policy/{policy_id}", + "operation_id": "update_csm_threats_agent_policy", + "http_method": "PATCH", + "version": "v2", + }, + params_map={ + "policy_id": { + "required": True, + "openapi_types": (str,), + "attribute": "policy_id", + "location": "path", + }, + "body": { + "required": True, + "openapi_types": (CloudWorkloadSecurityAgentPolicyUpdateRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + self._update_csm_threats_agent_rule_endpoint = _Endpoint( settings={ "response_type": (CloudWorkloadSecurityAgentRuleResponse,), @@ -272,6 +410,11 @@ def __init__(self, api_client=None): "attribute": "agent_rule_id", "location": "path", }, + "policy_id": { + "openapi_types": (str,), + "attribute": "policy_id", + "location": "query", + }, "body": { "required": True, "openapi_types": (CloudWorkloadSecurityAgentRuleUpdateRequest,), @@ -290,7 +433,7 @@ def create_cloud_workload_security_agent_rule( Create a new Agent rule with the given parameters. - :param body: The definition of the new Agent rule. + :param body: The definition of the new Agent rule :type body: CloudWorkloadSecurityAgentRuleCreateRequest :rtype: CloudWorkloadSecurityAgentRuleResponse """ @@ -299,15 +442,32 @@ def create_cloud_workload_security_agent_rule( return self._create_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def create_csm_threats_agent_policy( + self, + body: CloudWorkloadSecurityAgentPolicyCreateRequest, + ) -> CloudWorkloadSecurityAgentPolicyResponse: + """Create a CSM Threats Agent policy. + + Create a new Cloud Security Management Threats Agent policy with the given parameters + + :param body: The definition of the new Agent policy + :type body: CloudWorkloadSecurityAgentPolicyCreateRequest + :rtype: CloudWorkloadSecurityAgentPolicyResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["body"] = body + + return self._create_csm_threats_agent_policy_endpoint.call_with_http_info(**kwargs) + def create_csm_threats_agent_rule( self, body: CloudWorkloadSecurityAgentRuleCreateRequest, ) -> CloudWorkloadSecurityAgentRuleResponse: """Create a CSM Threats Agent rule. - Create a new Cloud Security Management Threats Agent rule with the given parameters. + Create a new Cloud Security Management Threats Agent rule with the given parameters - :param body: The definition of the new Agent rule. + :param body: The definition of the new Agent rule :type body: CloudWorkloadSecurityAgentRuleCreateRequest :rtype: CloudWorkloadSecurityAgentRuleResponse """ @@ -322,9 +482,9 @@ def delete_cloud_workload_security_agent_rule( ) -> None: """Delete a Cloud Workload Security Agent rule. - Delete a specific Agent rule. + Delete a specific Agent rule - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str :rtype: None """ @@ -333,21 +493,45 @@ def delete_cloud_workload_security_agent_rule( return self._delete_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def delete_csm_threats_agent_policy( + self, + policy_id: str, + ) -> None: + """Delete a CSM Threats Agent policy. + + Delete a specific Cloud Security Management Threats Agent policy + + :param policy_id: The ID of the Agent policy + :type policy_id: str + :rtype: None + """ + kwargs: Dict[str, Any] = {} + kwargs["policy_id"] = policy_id + + return self._delete_csm_threats_agent_policy_endpoint.call_with_http_info(**kwargs) + def delete_csm_threats_agent_rule( self, agent_rule_id: str, + *, + policy_id: Union[str, UnsetType] = unset, ) -> None: """Delete a CSM Threats Agent rule. - Delete a specific Cloud Security Management Threats Agent rule. + Delete a specific Cloud Security Management Threats Agent rule - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str + :param policy_id: The ID of the Agent policy + :type policy_id: str, optional :rtype: None """ kwargs: Dict[str, Any] = {} kwargs["agent_rule_id"] = agent_rule_id + if policy_id is not unset: + kwargs["policy_id"] = policy_id + return self._delete_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) def download_cloud_workload_policy_file( @@ -384,9 +568,9 @@ def get_cloud_workload_security_agent_rule( ) -> CloudWorkloadSecurityAgentRuleResponse: """Get a Cloud Workload Security Agent rule. - Get the details of a specific Agent rule. + Get the details of a specific Agent rule - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str :rtype: CloudWorkloadSecurityAgentRuleResponse """ @@ -395,21 +579,45 @@ def get_cloud_workload_security_agent_rule( return self._get_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def get_csm_threats_agent_policy( + self, + policy_id: str, + ) -> CloudWorkloadSecurityAgentPolicyResponse: + """Get a CSM Threats Agent policy. + + Get the details of a specific Cloud Security Management Threats Agent policy + + :param policy_id: The ID of the Agent policy + :type policy_id: str + :rtype: CloudWorkloadSecurityAgentPolicyResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["policy_id"] = policy_id + + return self._get_csm_threats_agent_policy_endpoint.call_with_http_info(**kwargs) + def get_csm_threats_agent_rule( self, agent_rule_id: str, + *, + policy_id: Union[str, UnsetType] = unset, ) -> CloudWorkloadSecurityAgentRuleResponse: """Get a CSM Threats Agent rule. - Get the details of a specific Cloud Security Management Threats Agent rule. + Get the details of a specific Cloud Security Management Threats Agent rule - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str + :param policy_id: The ID of the Agent policy + :type policy_id: str, optional :rtype: CloudWorkloadSecurityAgentRuleResponse """ kwargs: Dict[str, Any] = {} kwargs["agent_rule_id"] = agent_rule_id + if policy_id is not unset: + kwargs["policy_id"] = policy_id + return self._get_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) def list_cloud_workload_security_agent_rules( @@ -417,23 +625,42 @@ def list_cloud_workload_security_agent_rules( ) -> CloudWorkloadSecurityAgentRulesListResponse: """Get all Cloud Workload Security Agent rules. - Get the list of Agent rules. + Get the list of Agent rules :rtype: CloudWorkloadSecurityAgentRulesListResponse """ kwargs: Dict[str, Any] = {} return self._list_cloud_workload_security_agent_rules_endpoint.call_with_http_info(**kwargs) + def list_csm_threats_agent_policies( + self, + ) -> CloudWorkloadSecurityAgentPoliciesListResponse: + """Get all CSM Threats Agent policies. + + Get the list of Cloud Security Management Threats Agent policies + + :rtype: CloudWorkloadSecurityAgentPoliciesListResponse + """ + kwargs: Dict[str, Any] = {} + return self._list_csm_threats_agent_policies_endpoint.call_with_http_info(**kwargs) + def list_csm_threats_agent_rules( self, + *, + policy_id: Union[str, UnsetType] = unset, ) -> CloudWorkloadSecurityAgentRulesListResponse: """Get all CSM Threats Agent rules. - Get the list of Cloud Security Management Threats Agent rules. + Get the list of Cloud Security Management Threats Agent rules + :param policy_id: The ID of the Agent policy + :type policy_id: str, optional :rtype: CloudWorkloadSecurityAgentRulesListResponse """ kwargs: Dict[str, Any] = {} + if policy_id is not unset: + kwargs["policy_id"] = policy_id + return self._list_csm_threats_agent_rules_endpoint.call_with_http_info(**kwargs) def update_cloud_workload_security_agent_rule( @@ -446,9 +673,9 @@ def update_cloud_workload_security_agent_rule( Update a specific Agent rule. Returns the Agent rule object when the request is successful. - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str - :param body: New definition of the Agent rule. + :param body: New definition of the Agent rule :type body: CloudWorkloadSecurityAgentRuleUpdateRequest :rtype: CloudWorkloadSecurityAgentRuleResponse """ @@ -459,25 +686,55 @@ def update_cloud_workload_security_agent_rule( return self._update_cloud_workload_security_agent_rule_endpoint.call_with_http_info(**kwargs) + def update_csm_threats_agent_policy( + self, + policy_id: str, + body: CloudWorkloadSecurityAgentPolicyUpdateRequest, + ) -> CloudWorkloadSecurityAgentPolicyResponse: + """Update a CSM Threats Agent policy. + + Update a specific Cloud Security Management Threats Agent policy. + Returns the Agent policy object when the request is successful. + + :param policy_id: The ID of the Agent policy + :type policy_id: str + :param body: New definition of the Agent policy + :type body: CloudWorkloadSecurityAgentPolicyUpdateRequest + :rtype: CloudWorkloadSecurityAgentPolicyResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["policy_id"] = policy_id + + kwargs["body"] = body + + return self._update_csm_threats_agent_policy_endpoint.call_with_http_info(**kwargs) + def update_csm_threats_agent_rule( self, agent_rule_id: str, body: CloudWorkloadSecurityAgentRuleUpdateRequest, + *, + policy_id: Union[str, UnsetType] = unset, ) -> CloudWorkloadSecurityAgentRuleResponse: """Update a CSM Threats Agent rule. Update a specific Cloud Security Management Threats Agent rule. Returns the Agent rule object when the request is successful. - :param agent_rule_id: The ID of the Agent rule. + :param agent_rule_id: The ID of the Agent rule :type agent_rule_id: str - :param body: New definition of the Agent rule. + :param body: New definition of the Agent rule :type body: CloudWorkloadSecurityAgentRuleUpdateRequest + :param policy_id: The ID of the Agent policy + :type policy_id: str, optional :rtype: CloudWorkloadSecurityAgentRuleResponse """ kwargs: Dict[str, Any] = {} kwargs["agent_rule_id"] = agent_rule_id + if policy_id is not unset: + kwargs["policy_id"] = policy_id + kwargs["body"] = body return self._update_csm_threats_agent_rule_endpoint.call_with_http_info(**kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policies_list_response.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policies_list_response.py new file mode 100644 index 0000000000..97dc56ae02 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policies_list_response.py @@ -0,0 +1,46 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_data import ( + CloudWorkloadSecurityAgentPolicyData, + ) + + +class CloudWorkloadSecurityAgentPoliciesListResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_data import ( + CloudWorkloadSecurityAgentPolicyData, + ) + + return { + "data": ([CloudWorkloadSecurityAgentPolicyData],), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[List[CloudWorkloadSecurityAgentPolicyData], UnsetType] = unset, **kwargs): + """ + Response object that includes a list of Agent policies + + :param data: A list of Agent policy objects + :type data: [CloudWorkloadSecurityAgentPolicyData], optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_attributes.py new file mode 100644 index 0000000000..739ff1bbc1 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_attributes.py @@ -0,0 +1,177 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdaterAttributes, + ) + + +class CloudWorkloadSecurityAgentPolicyAttributes(ModelNormal): + validations = { + "blocking_rules_count": { + "inclusive_maximum": 2147483647, + }, + "disabled_rules_count": { + "inclusive_maximum": 2147483647, + }, + "monitoring_rules_count": { + "inclusive_maximum": 2147483647, + }, + "rule_count": { + "inclusive_maximum": 2147483647, + }, + } + + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdaterAttributes, + ) + + return { + "blocking_rules_count": (int,), + "datadog_managed": (bool,), + "description": (str,), + "disabled_rules_count": (int,), + "enabled": (bool,), + "host_tags": ([str],), + "host_tags_lists": ([[str]],), + "monitoring_rules_count": (int,), + "name": (str,), + "policy_version": (str,), + "priority": (int,), + "rule_count": (int,), + "update_date": (int,), + "updated_at": (int,), + "updater": (CloudWorkloadSecurityAgentPolicyUpdaterAttributes,), + } + + attribute_map = { + "blocking_rules_count": "blockingRulesCount", + "datadog_managed": "datadogManaged", + "description": "description", + "disabled_rules_count": "disabledRulesCount", + "enabled": "enabled", + "host_tags": "hostTags", + "host_tags_lists": "hostTagsLists", + "monitoring_rules_count": "monitoringRulesCount", + "name": "name", + "policy_version": "policyVersion", + "priority": "priority", + "rule_count": "ruleCount", + "update_date": "updateDate", + "updated_at": "updatedAt", + "updater": "updater", + } + + def __init__( + self_, + blocking_rules_count: Union[int, UnsetType] = unset, + datadog_managed: Union[bool, UnsetType] = unset, + description: Union[str, UnsetType] = unset, + disabled_rules_count: Union[int, UnsetType] = unset, + enabled: Union[bool, UnsetType] = unset, + host_tags: Union[List[str], UnsetType] = unset, + host_tags_lists: Union[List[List[str]], UnsetType] = unset, + monitoring_rules_count: Union[int, UnsetType] = unset, + name: Union[str, UnsetType] = unset, + policy_version: Union[str, UnsetType] = unset, + priority: Union[int, UnsetType] = unset, + rule_count: Union[int, UnsetType] = unset, + update_date: Union[int, UnsetType] = unset, + updated_at: Union[int, UnsetType] = unset, + updater: Union[CloudWorkloadSecurityAgentPolicyUpdaterAttributes, UnsetType] = unset, + **kwargs, + ): + """ + A Cloud Workload Security Agent policy returned by the API + + :param blocking_rules_count: The number of rules with the blocking feature in this policy + :type blocking_rules_count: int, optional + + :param datadog_managed: Whether the policy is managed by Datadog + :type datadog_managed: bool, optional + + :param description: The description of the policy + :type description: str, optional + + :param disabled_rules_count: The number of rules that are disabled in this policy + :type disabled_rules_count: int, optional + + :param enabled: Whether the Agent policy is enabled + :type enabled: bool, optional + + :param host_tags: The host tags defining where this policy is deployed + :type host_tags: [str], optional + + :param host_tags_lists: The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + :type host_tags_lists: [[str]], optional + + :param monitoring_rules_count: The number of rules in the monitoring state in this policy + :type monitoring_rules_count: int, optional + + :param name: The name of the policy + :type name: str, optional + + :param policy_version: The version of the policy + :type policy_version: str, optional + + :param priority: The priority of the policy + :type priority: int, optional + + :param rule_count: The number of rules in this policy + :type rule_count: int, optional + + :param update_date: Timestamp in milliseconds when the policy was last updated + :type update_date: int, optional + + :param updated_at: When the policy was last updated, timestamp in milliseconds + :type updated_at: int, optional + + :param updater: The attributes of the user who last updated the policy + :type updater: CloudWorkloadSecurityAgentPolicyUpdaterAttributes, optional + """ + if blocking_rules_count is not unset: + kwargs["blocking_rules_count"] = blocking_rules_count + if datadog_managed is not unset: + kwargs["datadog_managed"] = datadog_managed + if description is not unset: + kwargs["description"] = description + if disabled_rules_count is not unset: + kwargs["disabled_rules_count"] = disabled_rules_count + if enabled is not unset: + kwargs["enabled"] = enabled + if host_tags is not unset: + kwargs["host_tags"] = host_tags + if host_tags_lists is not unset: + kwargs["host_tags_lists"] = host_tags_lists + if monitoring_rules_count is not unset: + kwargs["monitoring_rules_count"] = monitoring_rules_count + if name is not unset: + kwargs["name"] = name + if policy_version is not unset: + kwargs["policy_version"] = policy_version + if priority is not unset: + kwargs["priority"] = priority + if rule_count is not unset: + kwargs["rule_count"] = rule_count + if update_date is not unset: + kwargs["update_date"] = update_date + if updated_at is not unset: + kwargs["updated_at"] = updated_at + if updater is not unset: + kwargs["updater"] = updater + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_attributes.py new file mode 100644 index 0000000000..7986726752 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_attributes.py @@ -0,0 +1,72 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class CloudWorkloadSecurityAgentPolicyCreateAttributes(ModelNormal): + @cached_property + def openapi_types(_): + return { + "description": (str,), + "enabled": (bool,), + "host_tags": ([str],), + "host_tags_lists": ([[str]],), + "name": (str,), + } + + attribute_map = { + "description": "description", + "enabled": "enabled", + "host_tags": "hostTags", + "host_tags_lists": "hostTagsLists", + "name": "name", + } + + def __init__( + self_, + name: str, + description: Union[str, UnsetType] = unset, + enabled: Union[bool, UnsetType] = unset, + host_tags: Union[List[str], UnsetType] = unset, + host_tags_lists: Union[List[List[str]], UnsetType] = unset, + **kwargs, + ): + """ + Create a new Cloud Workload Security Agent policy + + :param description: The description of the policy + :type description: str, optional + + :param enabled: Whether the policy is enabled + :type enabled: bool, optional + + :param host_tags: The host tags defining where this policy is deployed + :type host_tags: [str], optional + + :param host_tags_lists: The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + :type host_tags_lists: [[str]], optional + + :param name: The name of the policy + :type name: str + """ + if description is not unset: + kwargs["description"] = description + if enabled is not unset: + kwargs["enabled"] = enabled + if host_tags is not unset: + kwargs["host_tags"] = host_tags + if host_tags_lists is not unset: + kwargs["host_tags_lists"] = host_tags_lists + super().__init__(kwargs) + + self_.name = name diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_data.py new file mode 100644 index 0000000000..d4bfc6d364 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_data.py @@ -0,0 +1,61 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_attributes import ( + CloudWorkloadSecurityAgentPolicyCreateAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + +class CloudWorkloadSecurityAgentPolicyCreateData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_attributes import ( + CloudWorkloadSecurityAgentPolicyCreateAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + return { + "attributes": (CloudWorkloadSecurityAgentPolicyCreateAttributes,), + "type": (CloudWorkloadSecurityAgentPolicyType,), + } + + attribute_map = { + "attributes": "attributes", + "type": "type", + } + + def __init__( + self_, + attributes: CloudWorkloadSecurityAgentPolicyCreateAttributes, + type: CloudWorkloadSecurityAgentPolicyType, + **kwargs, + ): + """ + Object for a single Agent rule + + :param attributes: Create a new Cloud Workload Security Agent policy + :type attributes: CloudWorkloadSecurityAgentPolicyCreateAttributes + + :param type: The type of the resource, must always be ``policy`` + :type type: CloudWorkloadSecurityAgentPolicyType + """ + super().__init__(kwargs) + + self_.attributes = attributes + self_.type = type diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_request.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_request.py new file mode 100644 index 0000000000..fa3c208083 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_create_request.py @@ -0,0 +1,44 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_data import ( + CloudWorkloadSecurityAgentPolicyCreateData, + ) + + +class CloudWorkloadSecurityAgentPolicyCreateRequest(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_data import ( + CloudWorkloadSecurityAgentPolicyCreateData, + ) + + return { + "data": (CloudWorkloadSecurityAgentPolicyCreateData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: CloudWorkloadSecurityAgentPolicyCreateData, **kwargs): + """ + Request object that includes the Agent policy to create + + :param data: Object for a single Agent rule + :type data: CloudWorkloadSecurityAgentPolicyCreateData + """ + super().__init__(kwargs) + + self_.data = data diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_data.py new file mode 100644 index 0000000000..cded3196ec --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_data.py @@ -0,0 +1,72 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_attributes import ( + CloudWorkloadSecurityAgentPolicyAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + +class CloudWorkloadSecurityAgentPolicyData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_attributes import ( + CloudWorkloadSecurityAgentPolicyAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + return { + "attributes": (CloudWorkloadSecurityAgentPolicyAttributes,), + "id": (str,), + "type": (CloudWorkloadSecurityAgentPolicyType,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: Union[CloudWorkloadSecurityAgentPolicyAttributes, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + type: Union[CloudWorkloadSecurityAgentPolicyType, UnsetType] = unset, + **kwargs, + ): + """ + Object for a single Agent policy + + :param attributes: A Cloud Workload Security Agent policy returned by the API + :type attributes: CloudWorkloadSecurityAgentPolicyAttributes, optional + + :param id: The ID of the Agent policy + :type id: str, optional + + :param type: The type of the resource, must always be ``policy`` + :type type: CloudWorkloadSecurityAgentPolicyType, optional + """ + if attributes is not unset: + kwargs["attributes"] = attributes + if id is not unset: + kwargs["id"] = id + if type is not unset: + kwargs["type"] = type + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_response.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_response.py new file mode 100644 index 0000000000..75bb3d3fe9 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_response.py @@ -0,0 +1,46 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_data import ( + CloudWorkloadSecurityAgentPolicyData, + ) + + +class CloudWorkloadSecurityAgentPolicyResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_data import ( + CloudWorkloadSecurityAgentPolicyData, + ) + + return { + "data": (CloudWorkloadSecurityAgentPolicyData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[CloudWorkloadSecurityAgentPolicyData, UnsetType] = unset, **kwargs): + """ + Response object that includes an Agent policy + + :param data: Object for a single Agent policy + :type data: CloudWorkloadSecurityAgentPolicyData, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_type.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_type.py new file mode 100644 index 0000000000..e35c180cc0 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_type.py @@ -0,0 +1,35 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class CloudWorkloadSecurityAgentPolicyType(ModelSimple): + """ + The type of the resource, must always be `policy` + + :param value: If omitted defaults to "policy". Must be one of ["policy"]. + :type value: str + """ + + allowed_values = { + "policy", + } + POLICY: ClassVar["CloudWorkloadSecurityAgentPolicyType"] + + @cached_property + def openapi_types(_): + return { + "value": (str,), + } + + +CloudWorkloadSecurityAgentPolicyType.POLICY = CloudWorkloadSecurityAgentPolicyType("policy") diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_attributes.py new file mode 100644 index 0000000000..14fc36d7c7 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_attributes.py @@ -0,0 +1,72 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class CloudWorkloadSecurityAgentPolicyUpdateAttributes(ModelNormal): + @cached_property + def openapi_types(_): + return { + "description": (str,), + "enabled": (bool,), + "host_tags": ([str],), + "host_tags_lists": ([[str]],), + "name": (str,), + } + + attribute_map = { + "description": "description", + "enabled": "enabled", + "host_tags": "hostTags", + "host_tags_lists": "hostTagsLists", + "name": "name", + } + + def __init__( + self_, + description: Union[str, UnsetType] = unset, + enabled: Union[bool, UnsetType] = unset, + host_tags: Union[List[str], UnsetType] = unset, + host_tags_lists: Union[List[List[str]], UnsetType] = unset, + name: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Update an existing Cloud Workload Security Agent policy + + :param description: The description of the policy + :type description: str, optional + + :param enabled: Whether the policy is enabled + :type enabled: bool, optional + + :param host_tags: The host tags defining where this policy is deployed + :type host_tags: [str], optional + + :param host_tags_lists: The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + :type host_tags_lists: [[str]], optional + + :param name: The name of the policy + :type name: str, optional + """ + if description is not unset: + kwargs["description"] = description + if enabled is not unset: + kwargs["enabled"] = enabled + if host_tags is not unset: + kwargs["host_tags"] = host_tags + if host_tags_lists is not unset: + kwargs["host_tags_lists"] = host_tags_lists + if name is not unset: + kwargs["name"] = name + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_data.py new file mode 100644 index 0000000000..89df7a9427 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_data.py @@ -0,0 +1,71 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdateAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + +class CloudWorkloadSecurityAgentPolicyUpdateData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdateAttributes, + ) + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import ( + CloudWorkloadSecurityAgentPolicyType, + ) + + return { + "attributes": (CloudWorkloadSecurityAgentPolicyUpdateAttributes,), + "id": (str,), + "type": (CloudWorkloadSecurityAgentPolicyType,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: CloudWorkloadSecurityAgentPolicyUpdateAttributes, + type: CloudWorkloadSecurityAgentPolicyType, + id: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Object for a single Agent policy + + :param attributes: Update an existing Cloud Workload Security Agent policy + :type attributes: CloudWorkloadSecurityAgentPolicyUpdateAttributes + + :param id: The ID of the Agent policy + :type id: str, optional + + :param type: The type of the resource, must always be ``policy`` + :type type: CloudWorkloadSecurityAgentPolicyType + """ + if id is not unset: + kwargs["id"] = id + super().__init__(kwargs) + + self_.attributes = attributes + self_.type = type diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_request.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_request.py new file mode 100644 index 0000000000..03f8a8d5e7 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_update_request.py @@ -0,0 +1,44 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_data import ( + CloudWorkloadSecurityAgentPolicyUpdateData, + ) + + +class CloudWorkloadSecurityAgentPolicyUpdateRequest(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_data import ( + CloudWorkloadSecurityAgentPolicyUpdateData, + ) + + return { + "data": (CloudWorkloadSecurityAgentPolicyUpdateData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: CloudWorkloadSecurityAgentPolicyUpdateData, **kwargs): + """ + Request object that includes the Agent policy with the attributes to update + + :param data: Object for a single Agent policy + :type data: CloudWorkloadSecurityAgentPolicyUpdateData + """ + super().__init__(kwargs) + + self_.data = data diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_updater_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_updater_attributes.py new file mode 100644 index 0000000000..d35cb703f7 --- /dev/null +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_policy_updater_attributes.py @@ -0,0 +1,46 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + none_type, + unset, + UnsetType, +) + + +class CloudWorkloadSecurityAgentPolicyUpdaterAttributes(ModelNormal): + @cached_property + def openapi_types(_): + return { + "handle": (str,), + "name": (str, none_type), + } + + attribute_map = { + "handle": "handle", + "name": "name", + } + + def __init__( + self_, handle: Union[str, UnsetType] = unset, name: Union[str, none_type, UnsetType] = unset, **kwargs + ): + """ + The attributes of the user who last updated the policy + + :param handle: The handle of the user + :type handle: str, optional + + :param name: The name of the user + :type name: str, none_type, optional + """ + if handle is not unset: + kwargs["handle"] = handle + if name is not unset: + kwargs["name"] = name + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py index 72010fbe42..d83312172b 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py @@ -41,7 +41,7 @@ def __init__( **kwargs, ): """ - The action the rule can perform if triggered. + The action the rule can perform if triggered :param filter: SECL expression used to target the container to apply the action on :type filter: str, optional diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py index e6cfc7dac6..1d4382555d 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_attributes.py @@ -52,6 +52,7 @@ def openapi_types(_): "expression": (str,), "filters": ([str],), "name": (str,), + "product_tags": ([str],), "update_author_uu_id": (str,), "update_date": (int,), "updated_at": (int,), @@ -72,6 +73,7 @@ def openapi_types(_): "expression": "expression", "filters": "filters", "name": "name", + "product_tags": "product_tags", "update_author_uu_id": "updateAuthorUuId", "update_date": "updateDate", "updated_at": "updatedAt", @@ -93,6 +95,7 @@ def __init__( expression: Union[str, UnsetType] = unset, filters: Union[List[str], UnsetType] = unset, name: Union[str, UnsetType] = unset, + product_tags: Union[List[str], UnsetType] = unset, update_author_uu_id: Union[str, UnsetType] = unset, update_date: Union[int, UnsetType] = unset, updated_at: Union[int, UnsetType] = unset, @@ -101,57 +104,60 @@ def __init__( **kwargs, ): """ - A Cloud Workload Security Agent rule returned by the API. + A Cloud Workload Security Agent rule returned by the API - :param actions: The array of actions the rule can perform if triggered. + :param actions: The array of actions the rule can perform if triggered :type actions: [CloudWorkloadSecurityAgentRuleAction], none_type, optional - :param agent_constraint: The version of the agent. + :param agent_constraint: The version of the Agent :type agent_constraint: str, optional - :param category: The category of the Agent rule. + :param category: The category of the Agent rule :type category: str, optional - :param creation_author_uu_id: The ID of the user who created the rule. + :param creation_author_uu_id: The ID of the user who created the rule :type creation_author_uu_id: str, optional - :param creation_date: When the Agent rule was created, timestamp in milliseconds. + :param creation_date: When the Agent rule was created, timestamp in milliseconds :type creation_date: int, optional - :param creator: The attributes of the user who created the Agent rule. + :param creator: The attributes of the user who created the Agent rule :type creator: CloudWorkloadSecurityAgentRuleCreatorAttributes, optional - :param default_rule: Whether the rule is included by default. + :param default_rule: Whether the rule is included by default :type default_rule: bool, optional - :param description: The description of the Agent rule. + :param description: The description of the Agent rule :type description: str, optional - :param enabled: Whether the Agent rule is enabled. + :param enabled: Whether the Agent rule is enabled :type enabled: bool, optional - :param expression: The SECL expression of the Agent rule. + :param expression: The SECL expression of the Agent rule :type expression: str, optional - :param filters: The platforms the Agent rule is supported on. + :param filters: The platforms the Agent rule is supported on :type filters: [str], optional - :param name: The name of the Agent rule. + :param name: The name of the Agent rule :type name: str, optional - :param update_author_uu_id: The ID of the user who updated the rule. + :param product_tags: The list of product tags associated with the rule + :type product_tags: [str], optional + + :param update_author_uu_id: The ID of the user who updated the rule :type update_author_uu_id: str, optional - :param update_date: Timestamp in milliseconds when the Agent rule was last updated. + :param update_date: Timestamp in milliseconds when the Agent rule was last updated :type update_date: int, optional - :param updated_at: When the Agent rule was last updated, timestamp in milliseconds. + :param updated_at: When the Agent rule was last updated, timestamp in milliseconds :type updated_at: int, optional - :param updater: The attributes of the user who last updated the Agent rule. + :param updater: The attributes of the user who last updated the Agent rule :type updater: CloudWorkloadSecurityAgentRuleUpdaterAttributes, optional - :param version: The version of the Agent rule. + :param version: The version of the Agent rule :type version: int, optional """ if actions is not unset: @@ -178,6 +184,8 @@ def __init__( kwargs["filters"] = filters if name is not unset: kwargs["name"] = name + if product_tags is not unset: + kwargs["product_tags"] = product_tags if update_author_uu_id is not unset: kwargs["update_author_uu_id"] = update_author_uu_id if update_date is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_attributes.py index 564ed91f60..d98c6c840c 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_attributes.py @@ -22,6 +22,8 @@ def openapi_types(_): "expression": (str,), "filters": ([str],), "name": (str,), + "policy_id": (str,), + "product_tags": ([str],), } attribute_map = { @@ -30,6 +32,8 @@ def openapi_types(_): "expression": "expression", "filters": "filters", "name": "name", + "policy_id": "policy_id", + "product_tags": "product_tags", } def __init__( @@ -39,6 +43,8 @@ def __init__( description: Union[str, UnsetType] = unset, enabled: Union[bool, UnsetType] = unset, filters: Union[List[str], UnsetType] = unset, + policy_id: Union[str, UnsetType] = unset, + product_tags: Union[List[str], UnsetType] = unset, **kwargs, ): """ @@ -47,17 +53,23 @@ def __init__( :param description: The description of the Agent rule. :type description: str, optional - :param enabled: Whether the Agent rule is enabled. + :param enabled: Whether the Agent rule is enabled :type enabled: bool, optional :param expression: The SECL expression of the Agent rule. :type expression: str - :param filters: The platforms the Agent rule is supported on. + :param filters: The platforms the Agent rule is supported on :type filters: [str], optional :param name: The name of the Agent rule. :type name: str + + :param policy_id: The ID of the policy where the Agent rule is saved + :type policy_id: str, optional + + :param product_tags: The list of product tags associated with the rule + :type product_tags: [str], optional """ if description is not unset: kwargs["description"] = description @@ -65,6 +77,10 @@ def __init__( kwargs["enabled"] = enabled if filters is not unset: kwargs["filters"] = filters + if policy_id is not unset: + kwargs["policy_id"] = policy_id + if product_tags is not unset: + kwargs["product_tags"] = product_tags super().__init__(kwargs) self_.expression = expression diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_data.py index 7a5aefc8a4..2e299e677e 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_data.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_data.py @@ -45,12 +45,12 @@ def __init__( **kwargs, ): """ - Object for a single Agent rule. + Object for a single Agent rule :param attributes: Create a new Cloud Workload Security Agent rule. :type attributes: CloudWorkloadSecurityAgentRuleCreateAttributes - :param type: The type of the resource. The value should always be ``agent_rule``. + :param type: The type of the resource, must always be ``agent_rule`` :type type: CloudWorkloadSecurityAgentRuleType """ super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_request.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_request.py index 166de7968d..6b03211275 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_request.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_create_request.py @@ -34,9 +34,9 @@ def openapi_types(_): def __init__(self_, data: CloudWorkloadSecurityAgentRuleCreateData, **kwargs): """ - Request object that includes the Agent rule to create. + Request object that includes the Agent rule to create - :param data: Object for a single Agent rule. + :param data: Object for a single Agent rule :type data: CloudWorkloadSecurityAgentRuleCreateData """ super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_creator_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_creator_attributes.py index 731abda3a3..f7c37b854c 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_creator_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_creator_attributes.py @@ -31,12 +31,12 @@ def __init__( self_, handle: Union[str, UnsetType] = unset, name: Union[str, none_type, UnsetType] = unset, **kwargs ): """ - The attributes of the user who created the Agent rule. + The attributes of the user who created the Agent rule - :param handle: The handle of the user. + :param handle: The handle of the user :type handle: str, optional - :param name: The name of the user. + :param name: The name of the user :type name: str, none_type, optional """ if handle is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_data.py index c36822fb11..9f293ade95 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_data.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_data.py @@ -50,15 +50,15 @@ def __init__( **kwargs, ): """ - Object for a single Agent rule. + Object for a single Agent rule - :param attributes: A Cloud Workload Security Agent rule returned by the API. + :param attributes: A Cloud Workload Security Agent rule returned by the API :type attributes: CloudWorkloadSecurityAgentRuleAttributes, optional - :param id: The ID of the Agent rule. + :param id: The ID of the Agent rule :type id: str, optional - :param type: The type of the resource. The value should always be ``agent_rule``. + :param type: The type of the resource, must always be ``agent_rule`` :type type: CloudWorkloadSecurityAgentRuleType, optional """ if attributes is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py index 15ad9a05a6..f5279a1d88 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_kill.py @@ -28,7 +28,7 @@ def __init__(self_, signal: Union[str, UnsetType] = unset, **kwargs): """ Kill system call applied on the container matching the rule - :param signal: Supported signals for the kill system call. + :param signal: Supported signals for the kill system call :type signal: str, optional """ if signal is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_response.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_response.py index 8a480003e8..aa43b8171e 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_response.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_response.py @@ -34,9 +34,9 @@ def openapi_types(_): def __init__(self_, data: Union[CloudWorkloadSecurityAgentRuleData, UnsetType] = unset, **kwargs): """ - Response object that includes an Agent rule. + Response object that includes an Agent rule - :param data: Object for a single Agent rule. + :param data: Object for a single Agent rule :type data: CloudWorkloadSecurityAgentRuleData, optional """ if data is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_type.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_type.py index 5c027e8f80..782f0b1815 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_type.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_type.py @@ -14,7 +14,7 @@ class CloudWorkloadSecurityAgentRuleType(ModelSimple): """ - The type of the resource. The value should always be `agent_rule`. + The type of the resource, must always be `agent_rule` :param value: If omitted defaults to "agent_rule". Must be one of ["agent_rule"]. :type value: str diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_attributes.py index 5e26b5dd69..50b555fc8b 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_attributes.py @@ -3,7 +3,7 @@ # Copyright 2019-Present Datadog, Inc. from __future__ import annotations -from typing import Union +from typing import List, Union from datadog_api_client.model_utils import ( ModelNormal, @@ -20,12 +20,16 @@ def openapi_types(_): "description": (str,), "enabled": (bool,), "expression": (str,), + "policy_id": (str,), + "product_tags": ([str],), } attribute_map = { "description": "description", "enabled": "enabled", "expression": "expression", + "policy_id": "policy_id", + "product_tags": "product_tags", } def __init__( @@ -33,19 +37,27 @@ def __init__( description: Union[str, UnsetType] = unset, enabled: Union[bool, UnsetType] = unset, expression: Union[str, UnsetType] = unset, + policy_id: Union[str, UnsetType] = unset, + product_tags: Union[List[str], UnsetType] = unset, **kwargs, ): """ - Update an existing Cloud Workload Security Agent rule. + Update an existing Cloud Workload Security Agent rule - :param description: The description of the Agent rule. + :param description: The description of the Agent rule :type description: str, optional - :param enabled: Whether the Agent rule is enabled. + :param enabled: Whether the Agent rule is enabled :type enabled: bool, optional - :param expression: The SECL expression of the Agent rule. + :param expression: The SECL expression of the Agent rule :type expression: str, optional + + :param policy_id: The ID of the policy where the Agent rule is saved + :type policy_id: str, optional + + :param product_tags: The list of product tags associated with the rule + :type product_tags: [str], optional """ if description is not unset: kwargs["description"] = description @@ -53,4 +65,8 @@ def __init__( kwargs["enabled"] = enabled if expression is not unset: kwargs["expression"] = expression + if policy_id is not unset: + kwargs["policy_id"] = policy_id + if product_tags is not unset: + kwargs["product_tags"] = product_tags super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py index c288bbe03c..3d5f24452b 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_data.py @@ -50,15 +50,15 @@ def __init__( **kwargs, ): """ - Object for a single Agent rule. + Object for a single Agent rule - :param attributes: Update an existing Cloud Workload Security Agent rule. + :param attributes: Update an existing Cloud Workload Security Agent rule :type attributes: CloudWorkloadSecurityAgentRuleUpdateAttributes - :param id: The ID of the agent rule. + :param id: The ID of the Agent rule :type id: str, optional - :param type: The type of the resource. The value should always be ``agent_rule``. + :param type: The type of the resource, must always be ``agent_rule`` :type type: CloudWorkloadSecurityAgentRuleType """ if id is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_request.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_request.py index 4e298ab8b6..e40482d0e1 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_request.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_update_request.py @@ -34,9 +34,9 @@ def openapi_types(_): def __init__(self_, data: CloudWorkloadSecurityAgentRuleUpdateData, **kwargs): """ - Request object that includes the Agent rule with the attributes to update. + Request object that includes the Agent rule with the attributes to update - :param data: Object for a single Agent rule. + :param data: Object for a single Agent rule :type data: CloudWorkloadSecurityAgentRuleUpdateData """ super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_updater_attributes.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_updater_attributes.py index 638efadbbb..e33499a544 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_updater_attributes.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_updater_attributes.py @@ -31,12 +31,12 @@ def __init__( self_, handle: Union[str, UnsetType] = unset, name: Union[str, none_type, UnsetType] = unset, **kwargs ): """ - The attributes of the user who last updated the Agent rule. + The attributes of the user who last updated the Agent rule - :param handle: The handle of the user. + :param handle: The handle of the user :type handle: str, optional - :param name: The name of the user. + :param name: The name of the user :type name: str, none_type, optional """ if handle is not unset: diff --git a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rules_list_response.py b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rules_list_response.py index 8c275abe77..4b7a4d1a52 100644 --- a/src/datadog_api_client/v2/model/cloud_workload_security_agent_rules_list_response.py +++ b/src/datadog_api_client/v2/model/cloud_workload_security_agent_rules_list_response.py @@ -34,9 +34,9 @@ def openapi_types(_): def __init__(self_, data: Union[List[CloudWorkloadSecurityAgentRuleData], UnsetType] = unset, **kwargs): """ - Response object that includes a list of Agent rule. + Response object that includes a list of Agent rule - :param data: A list of Agent rules objects. + :param data: A list of Agent rules objects :type data: [CloudWorkloadSecurityAgentRuleData], optional """ if data is not unset: diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index 0728f5af3f..7bbc02c184 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -498,6 +498,38 @@ from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions from datadog_api_client.v2.model.cloud_configuration_rule_payload import CloudConfigurationRulePayload from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType +from datadog_api_client.v2.model.cloud_workload_security_agent_policies_list_response import ( + CloudWorkloadSecurityAgentPoliciesListResponse, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_attributes import ( + CloudWorkloadSecurityAgentPolicyAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_attributes import ( + CloudWorkloadSecurityAgentPolicyCreateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_data import ( + CloudWorkloadSecurityAgentPolicyCreateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_create_request import ( + CloudWorkloadSecurityAgentPolicyCreateRequest, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_data import CloudWorkloadSecurityAgentPolicyData +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_response import ( + CloudWorkloadSecurityAgentPolicyResponse, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_type import CloudWorkloadSecurityAgentPolicyType +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdateAttributes, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_data import ( + CloudWorkloadSecurityAgentPolicyUpdateData, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_update_request import ( + CloudWorkloadSecurityAgentPolicyUpdateRequest, +) +from datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes import ( + CloudWorkloadSecurityAgentPolicyUpdaterAttributes, +) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction from datadog_api_client.v2.model.cloud_workload_security_agent_rule_attributes import ( CloudWorkloadSecurityAgentRuleAttributes, @@ -3812,6 +3844,18 @@ "CloudConfigurationRuleOptions", "CloudConfigurationRulePayload", "CloudConfigurationRuleType", + "CloudWorkloadSecurityAgentPoliciesListResponse", + "CloudWorkloadSecurityAgentPolicyAttributes", + "CloudWorkloadSecurityAgentPolicyCreateAttributes", + "CloudWorkloadSecurityAgentPolicyCreateData", + "CloudWorkloadSecurityAgentPolicyCreateRequest", + "CloudWorkloadSecurityAgentPolicyData", + "CloudWorkloadSecurityAgentPolicyResponse", + "CloudWorkloadSecurityAgentPolicyType", + "CloudWorkloadSecurityAgentPolicyUpdateAttributes", + "CloudWorkloadSecurityAgentPolicyUpdateData", + "CloudWorkloadSecurityAgentPolicyUpdateRequest", + "CloudWorkloadSecurityAgentPolicyUpdaterAttributes", "CloudWorkloadSecurityAgentRuleAction", "CloudWorkloadSecurityAgentRuleAttributes", "CloudWorkloadSecurityAgentRuleCreateAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen index 0086bc5659..569f1f1897 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:45.044Z \ No newline at end of file +2025-04-18T09:10:11.610Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml index 89c6f981bf..dc081978ae 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,26 @@ interactions: - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path - = sh","name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065"},"type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"byc-7rh-p5l","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411","policyVersion":"1","priority":1000000002,"ruleCount":226,"updateDate":1744967411964,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule"},"type":"agent_rule"}}' headers: accept: - application/json @@ -12,8 +31,7 @@ interactions: response: body: string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065` - error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]} ' headers: @@ -22,4 +40,20 @@ interactions: status: code: 400 message: Bad Request +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/byc-7rh-p5l + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index 0a184145e4..8ad981fd20 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:45.232Z \ No newline at end of file +2025-04-01T14:30:49.909Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 06c7b205dc..49b049d4fb 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,27 @@ interactions: - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065"},"type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"4o4-2ha-t4b","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517849954,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","filters":[],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,9 +31,10 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"id":"igj-qzb-9eq","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895065356,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895065356,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"}} + string: '{"data":{"id":"amk-lsa-s1q","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1743517850483,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1743517850483,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' headers: @@ -28,7 +49,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/igj-qzb-9eq + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q response: body: string: '' @@ -36,4 +57,20 @@ interactions: status: code: 204 message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.frozen new file mode 100644 index 0000000000..c290cdbad6 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2025-04-15T09:10:06.353Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.yaml new file mode 100644 index 0000000000..834439eb27 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_bad_request_response.yaml @@ -0,0 +1,22 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":[],"hostTagsLists":[],"name":"test"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"errors":[{"title":"failed to create policy"}]} + + ' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.frozen new file mode 100644 index 0000000000..3eef66a9c7 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-04-15T09:10:06.769Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.yaml new file mode 100644 index 0000000000..fe193f74fe --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_policy_returns_ok_response.yaml @@ -0,0 +1,38 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"my_agent_policy"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"4op-0bb-yom","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"my_agent_policy","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708206895,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4op-0bb-yom + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen index c616aa2ac2..f989accc05 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:44.167Z \ No newline at end of file +2025-04-01T14:30:45.280Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml index 1096d35d18..2f59d9aef3 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,26 @@ interactions: - request: - body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == sh","name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064"},"type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"mrs-qdn-jq8","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517845323,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"mrs-qdn-jq8","product_tags":[]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,13 +30,28 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064` error: - rule compilation error: field `sh` not found)"]}' + string: '{"errors":["input_validation_error(Field ''name'' is invalid: rule + `my_agent_rule` error: multiple definition with the same ID)"]}' headers: content-type: - application/json status: code: 400 message: Bad Request +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8 + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen index 42b749c2db..d00c1e7e92 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-05-22T16:22:22.200Z \ No newline at end of file +2025-04-01T14:30:46.809Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml index 062d81938c..77000c7039 100644 --- a/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_create_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -1,7 +1,27 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"eeq-02h-jhh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517846856,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":["os == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1716394942"},"type":"agent_rule"}}' + == \"sh\"","filters":[],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","policy_id":"eeq-02h-jhh","product_tags":[]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +31,11 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"data":{"id":"pn4-mo8-u5r","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716394942614,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"ree-4gw-dk6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517847344,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1716394942","updateDate":1716394942614,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","updateDate":1743517847344,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -27,7 +48,23 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pn4-mo8-u5r + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6 + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/eeq-02h-jhh response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index 01e1555405..c943cdfcd9 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:46.672Z \ No newline at end of file +2025-04-01T14:30:54.389Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index 07adec3842..cbf73049e6 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -5,10 +5,10 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + string: '{"errors":["Not found"]} ' headers: diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index abfeb06135..5d92123426 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:46.852Z \ No newline at end of file +2025-04-18T09:10:13.237Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 232ef916da..cfd6ea666e 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066"},"type":"agent_rule"}}' + == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,9 +11,10 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"id":"tlm-pl7-gkc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895066982,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895066982,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"}} + string: '{"data":{"id":"ghk-tsf-neq","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967413434,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967413434,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' headers: @@ -28,7 +29,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq response: body: string: '' @@ -42,10 +43,10 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=tlm-pl7-gkc)"]} + string: '{"errors":["not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)"]} ' headers: diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.frozen new file mode 100644 index 0000000000..2907715a1f --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:30:50.953Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.yaml new file mode 100644 index 0000000000..9e478f21ef --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_not_found_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id + response: + body: + string: '{"errors":[{"title":"failed to delete policy"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.frozen new file mode 100644 index 0000000000..b90ca64b48 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:30:51.116Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.yaml new file mode 100644 index 0000000000..4205c0f83c --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_policy_returns_ok_response.yaml @@ -0,0 +1,56 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"794-4tf-osj","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517851168,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj + response: + body: + string: '{"errors":[{"title":"failed to delete policy"}]} + + ' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen index 75691616f2..9c683d57fe 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:45.602Z \ No newline at end of file +2025-04-01T14:30:52.038Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml index 6271d24327..7b12185126 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -5,7 +5,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id response: body: string: '{"errors":[{"title":"failed to delete rule"}]} diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen index d4cf357cdd..369e24ad10 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:45.727Z \ No newline at end of file +2025-04-01T14:30:52.133Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml index 7dd4824da0..e3d49c1bb2 100644 --- a/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_delete_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -1,7 +1,27 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"kqm-fhb-eay","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517852178,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1713895065"},"type":"agent_rule"}}' + == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","policy_id":"kqm-fhb-eay","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +31,11 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"data":{"id":"r8q-52h-8r2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895065801,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"pjy-nkm-0wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517852458,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1713895065","updateDate":1713895065801,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","updateDate":1743517852458,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -27,7 +48,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb?policy_id=kqm-fhb-eay response: body: string: '' @@ -43,7 +64,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb response: body: string: '{"errors":[{"title":"failed to delete rule"}]} @@ -55,4 +76,20 @@ interactions: status: code: 404 message: Not Found +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kqm-fhb-eay + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index f72d8002ec..881abb7569 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:48.453Z \ No newline at end of file +2025-04-01T14:30:58.452Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index adb30d74c2..e0f5f5b32e 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -5,10 +5,10 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + string: '{"errors":["Not found"]} ' headers: diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index 2cb7e68f0f..72cbb497c8 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:48.613Z \ No newline at end of file +2025-04-18T09:10:13.933Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index 68359aadbd..54caaf65e1 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,9 +11,10 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"id":"ei4-rq6-ept","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895068731,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895068731,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"}} + string: '{"data":{"id":"ajb-znb-t3g","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414208,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414208,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' headers: @@ -28,12 +29,13 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g response: body: - string: '{"data":{"id":"ei4-rq6-ept","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895068731,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895068731,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"}} + string: '{"data":{"id":"ajb-znb-t3g","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414208,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414208,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' headers: @@ -48,7 +50,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.frozen new file mode 100644 index 0000000000..24a790d0a6 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:30:54.462Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.yaml new file mode 100644 index 0000000000..d83a39071f --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_not_found_response.yaml @@ -0,0 +1,18 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id + response: + body: + string: '{"errors":[{"title":"Not Found"}]}' + headers: + content-type: + - application/json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.frozen new file mode 100644 index 0000000000..76a8312837 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:30:54.711Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.yaml new file mode 100644 index 0000000000..34f06733d3 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_policy_returns_ok_response.yaml @@ -0,0 +1,56 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"egv-qkr-ihb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517854753,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb + response: + body: + string: '{"data":{"id":"egv-qkr-ihb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517854753,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen index 9d08508bcf..a632857145 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:47.369Z \ No newline at end of file +2025-04-01T14:30:55.749Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml index 362ff446b6..bcb2d97a93 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -5,7 +5,7 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id response: body: string: '{"errors":[{"title":"failed to get rule"}]} diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen index 0f762616f6..5c69286972 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:47.555Z \ No newline at end of file +2025-04-01T14:30:56.067Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml index 928cc047f8..4ac7dd1dd6 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -1,7 +1,27 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"lxh-tyq-n9u","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517856115,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1713895067"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","policy_id":"lxh-tyq-n9u","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +31,11 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"data":{"id":"6wy-t98-466","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895067605,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"k1m-gqh-zqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517856488,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1713895067","updateDate":1713895067605,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","updateDate":1743517856488,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -27,13 +48,14 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm?policy_id=lxh-tyq-n9u response: body: - string: '{"data":{"id":"6wy-t98-466","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895067000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"k1m-gqh-zqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517856000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1713895067","updateDate":1713895067000,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","updateDate":1743517856000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -46,7 +68,23 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen index bdb6d07aa2..a1b59dc82f 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:49.344Z \ No newline at end of file +2025-04-01T14:30:58.973Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml index 8961e7e47a..a52b5d204a 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_all_cloud_workload_security_agent_rules_returns_ok_response.yaml @@ -1,27 +1,4 @@ interactions: -- request: - body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069"},"type":"agent_rule"}}' - headers: - accept: - - application/json - content-type: - - application/json - method: POST - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules - response: - body: - string: '{"data":{"id":"sk6-sni-wfh","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895069454,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895069454,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"}} - - ' - headers: - content-type: - - application/json - status: - code: 200 - message: OK - request: body: null headers: @@ -31,72 +8,121 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":[{"id":"sk6-sni-wfh","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713895069454,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713895069454,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zfc-g0g-a8x","attributes":{"version":1,"name":"dummy_rule_LPRxi","description":"Execution + string: '{"data":[{"id":"h9w-1za-erv","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1742473059337,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1742473059978,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"khg-aab-9th","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1737245935950,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1737245936416,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ayg-ed4-gwq","attributes":{"version":1,"name":"dummy_rule_KSDPb","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1730871736407,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1730871736407,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"om5-n7z-ike","attributes":{"version":1,"name":"dummy_rule_qDgvU","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1727845578846,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1727845578846,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"6ae-6oo-ebo","attributes":{"version":1,"name":"dummy_rule_DBtCK","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724855417119,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724855417119,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"z3p-vom-jnb","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724373425669,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724373425669,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"aum-fmk-2zi","attributes":{"version":1,"name":"dummy_rule_sUVnW","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846828022,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846828022,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"8j1-gvj-zbg","attributes":{"version":1,"name":"dummy_rule_ipyRF","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846816336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846816336,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mgj-zek-ajo","attributes":{"version":1,"name":"dummy_rule_AszwF","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718401086044,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718401086044,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"bf0-bng-csr","attributes":{"version":1,"name":"dummy_rule_bVlLJ","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718400725834,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718400725834,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qni-ngf-dzd","attributes":{"version":1,"name":"dummy_rule_tSfwV","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716175452369,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716175452369,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qio-d0k-d3j","attributes":{"version":1,"name":"dummy_rule_mABue","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196703991,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196703991,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pae-rpt-yni","attributes":{"version":1,"name":"dummy_rule_CpDMZ","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716162686297,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716162686297,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fbo-ian-ijl","attributes":{"version":1,"name":"dummy_rule_VfQSV","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196520725,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196520725,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jwu-xbf-ic5","attributes":{"version":1,"name":"dummy_rule_HfYXr","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713905359927,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713905359927,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"1o7-fwy-pet","attributes":{"version":1,"name":"dummy_rule_JAnCe","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196519724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196519724,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uew-oxg-b86","attributes":{"version":1,"name":"dummy_rule_Tjzvu","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713903379681,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713903379681,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ug1-mbq-gkm","attributes":{"version":1,"name":"dummy_rule_KJInv","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805386256,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805386256,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wyn-ib7-f7o","attributes":{"version":1,"name":"dummy_rule_fWORB","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713902127183,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713902127183,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xvo-htm-wak","attributes":{"version":1,"name":"dummy_rule_PkauG","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805020073,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805020073,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mwk-g74-lbd","attributes":{"version":1,"name":"dummy_rule_XcxFr","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713901759732,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713901759732,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zfc-g0g-a8x","attributes":{"version":1,"name":"dummy_rule_LPRxi","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804840761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804840761,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rqa-io7-fwn","attributes":{"version":1,"name":"dummy_rule_bKkuv","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196703991,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196703991,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pae-rpt-yni","attributes":{"version":1,"name":"dummy_rule_CpDMZ","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804479644,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804479644,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n1x-qsa-p53","attributes":{"version":1,"name":"windows_cryptominer_process","description":"A + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196520725,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196520725,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jwu-xbf-ic5","attributes":{"version":1,"name":"dummy_rule_HfYXr","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196519724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196519724,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uew-oxg-b86","attributes":{"version":1,"name":"dummy_rule_Tjzvu","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805386256,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805386256,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wyn-ib7-f7o","attributes":{"version":1,"name":"dummy_rule_fWORB","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805020073,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805020073,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mwk-g74-lbd","attributes":{"version":1,"name":"dummy_rule_XcxFr","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804840761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804840761,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rqa-io7-fwn","attributes":{"version":1,"name":"dummy_rule_bKkuv","description":"Execution + of a java process","expression":"exec.file.name == \"java\"","category":"Process + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804479644,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804479644,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n1x-qsa-p53","attributes":{"version":1,"name":"windows_cryptominer_process","description":"A cryptominer was potentially executed","expression":"exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process - Activity","creationDate":0,"updateDate":1712079129574,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rws-z9b-qjv","attributes":{"version":1,"name":"ransomware_note","description":"Possible + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1712079129574,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rws-z9b-qjv","attributes":{"version":1,"name":"ransomware_note","description":"Possible ransomware note created under common user directories","expression":"open.flags & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] - && open.file.name not in [r\".*\\.lock$\"]","category":"File Activity","creationDate":0,"updateDate":1711644650371,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pqp-0vs-cmu","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The + && open.file.name not in [r\".*\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644650371,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pqp-0vs-cmu","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The configuration directory for an ssh worm","expression":"open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","creationDate":0,"updateDate":1711644642969,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tkp-w9m-vzp","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot + && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644642969,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tkp-w9m-vzp","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot registry modified","expression":"set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"","category":"File - Activity","creationDate":0,"updateDate":1711644635093,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8be-hej-nf2","attributes":{"version":3,"name":"ps_discovery","description":"Processes + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644635093,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8be-hej-nf2","attributes":{"version":3,"name":"ps_discovery","description":"Processes were listed using the ps command","expression":"exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", - \"check_procs\", \"newrelic-daemon\"]","category":"Process Activity","creationDate":0,"updateDate":1711644627589,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wn9-9vf-8be","attributes":{"version":1,"name":"mount_proc_hide","description":"Process + \"check_procs\", \"newrelic-daemon\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644627589,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wn9-9vf-8be","attributes":{"version":1,"name":"mount_proc_hide","description":"Process hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", - ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","creationDate":0,"updateDate":1711644623109,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"upj-muh-hms","attributes":{"version":2,"name":"chatroom_request","description":"A + ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644623109,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"upj-muh-hms","attributes":{"version":2,"name":"chatroom_request","description":"A DNS request was made for a chatroom domain","expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network - Activity","creationDate":0,"updateDate":1711644612626,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gnz-81e-6lg","attributes":{"version":1,"name":"cryptominer_envs","description":"Process + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644612626,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gnz-81e-6lg","attributes":{"version":1,"name":"cryptominer_envs","description":"Process environment variables match cryptocurrency miner","expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process - Activity","creationDate":0,"updateDate":1711644602654,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7da-gwx-c3l","attributes":{"version":2,"name":"auditctl_usage","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644602654,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7da-gwx-c3l","attributes":{"version":2,"name":"auditctl_usage","description":"The auditctl command was used to modify auditd","expression":"exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process - Activity","creationDate":0,"updateDate":1711644592613,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8jg-xym-vqz","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644592613,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8jg-xym-vqz","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process - Activity","creationDate":0,"updateDate":1711644590883,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9ih-87r-xrp","attributes":{"version":1,"name":"registry_runkey_modified","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644590883,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9ih-87r-xrp","attributes":{"version":1,"name":"registry_runkey_modified","description":"A Registry runkey has been modified","expression":"set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", @@ -107,7 +133,8 @@ interactions: Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]","category":"File - Activity","creationDate":0,"updateDate":1711644584412,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"msb-ai6-ua5","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644584412,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"msb-ai6-ua5","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", @@ -117,8 +144,8 @@ interactions: || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", - \"fish\"])","category":"Process Activity","creationDate":0,"updateDate":1711644574925,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6fr-csu-axm","attributes":{"version":7,"name":"k8s_pod_service_account_token_accessed","description":"The + \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644574925,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6fr-csu-axm","attributes":{"version":7,"name":"k8s_pod_service_account_token_accessed","description":"The Kubernetes pod service account token was accessed","expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", @@ -141,119 +168,96 @@ interactions: \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1711644571787,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"30s-pi8-9b4","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1711550899699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1711550899699,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644571787,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"30s-pi8-9b4","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1711550899699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1711550899699,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"a9q-iyx-gfu","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508595,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508595,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508595,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508595,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"hlq-w7y-5tg","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508341,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508341,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508341,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508341,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"lj4-ina-ue2","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507890,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507890,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507890,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507890,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"qlz-mcu-d2k","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507757,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507757,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bmx-go6-0lz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507388,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507388,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507388,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507388,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bk0-mpb-ii8","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507115,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507115,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507115,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507115,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"0xw-wbm-pel","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131459596,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131459596,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131459596,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131459596,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"nvt-eoh-yiz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131458820,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131458820,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131458820,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131458820,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"dc5-hba-20b","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457616,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457616,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457616,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457616,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"asb-kqf-vex","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457216,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457216,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457216,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457216,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yzx-ia6-bdh","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131456469,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131456469,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131456469,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131456469,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"3uo-x9p-tmb","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131455692,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131455692,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131455692,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131455692,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"kan-5ki-wau","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191984,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191984,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191984,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191984,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ggb-h3r-t7d","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191450,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191450,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191450,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191450,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"y4n-8gx-m3n","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190549,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190549,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190549,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190549,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"xsf-ugy-cfq","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190256,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190256,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190256,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190256,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"btr-btz-zif","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189757,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189757,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"jnw-ija-az5","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189262,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189262,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189262,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189262,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"6v0-shq-8gm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911364,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911364,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911364,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911364,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yrv-svq-9nz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911144,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911144,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911144,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911144,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"9s9-wui-t8c","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910712,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910712,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910712,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910712,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"krm-ssv-tn5","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910586,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910586,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910586,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910586,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"uiu-6vz-z2h","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910368,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910368,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910368,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910368,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"eej-oup-jwu","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910147,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910147,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910147,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910147,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ltv-fla-wb0","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process - Activity","creationDate":0,"updateDate":1704404490608,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uuf-w3c-u9q","attributes":{"version":1,"name":"scheduled_task_creation","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404490608,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uuf-w3c-u9q","attributes":{"version":1,"name":"scheduled_task_creation","description":"A scheduled task was created","expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","category":"Process - Activity","creationDate":0,"updateDate":1704404490608,"filters":["os == \"windows\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nyc-gfz-yr5","attributes":{"version":5,"name":"nsswitch_conf_mod_chown","description":"nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404490608,"filters":["os + == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nyc-gfz-yr5","attributes":{"version":5,"name":"nsswitch_conf_mod_chown","description":"nsswitch may have been modified without authorization","expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142958657,"updateDate":1704404477785,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bm8-j5w-xfv","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1704404477785,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bm8-j5w-xfv","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently written or modified suid file has been executed","expression":"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", @@ -261,16 +265,16 @@ interactions: \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process Activity","creationDate":0,"updateDate":1704404469455,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"phy-tco-k7w","attributes":{"version":6,"name":"database_shell_execution","description":"A + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404469455,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"phy-tco-k7w","attributes":{"version":6,"name":"database_shell_execution","description":"A database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name - == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","creationDate":1617722069155,"updateDate":1704404453620,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7x1-glr-ofl","attributes":{"version":2,"name":"credential_modified_open_v2","description":"Sensitive + == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722069155,"updateDate":1704404453620,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7x1-glr-ofl","attributes":{"version":2,"name":"credential_modified_open_v2","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", @@ -281,8 +285,8 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at - > 90s","category":"File Activity","creationDate":0,"updateDate":1704404453617,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jjg-cwd-bi8","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical + > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404453617,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jjg-cwd-bi8","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", @@ -292,135 +296,105 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at - > 90s","category":"File Activity","creationDate":0,"updateDate":1704404449335,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqb-wq9-xzq","attributes":{"version":1,"name":"dummy_rule_jcvqK","description":"Execution + > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404449335,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqb-wq9-xzq","attributes":{"version":1,"name":"dummy_rule_jcvqK","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1704404420111,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1704404420111,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"sqx-azd-ia2","attributes":{"version":1,"name":"dummy_rule_ivMAv","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1704404420111,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1704404420111,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"sqx-azd-ia2","attributes":{"version":1,"name":"dummy_rule_ivMAv","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700251049947,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700251049947,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"83g-jde-hyc","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700243663249,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700243663249,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hyg-8q3-gme","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294824,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294824,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700251049947,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700251049947,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"83g-jde-hyc","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700243663249,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700243663249,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hyg-8q3-gme","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294824,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294824,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bn3-we8-cxn","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294647,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294647,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294647,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294647,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"goh-6ij-cpa","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294269,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294269,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294269,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294269,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"he7-cho-9th","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294175,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294175,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294175,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294175,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"pj5-9wo-0ny","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293961,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293961,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293961,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293961,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"dmd-ens-omw","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293736,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293736,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293736,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293736,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"8ft-wcs-sok","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880522,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880522,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880522,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880522,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"onm-fm3-ilm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880255,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880255,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880255,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880255,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cxv-wyz-udh","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879795,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879795,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879795,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879795,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"7ro-vjj-hqg","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879679,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879679,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879679,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879679,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"3uf-mai-edh","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879455,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879455,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879455,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879455,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"e2t-sos-sgs","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879213,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879213,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879213,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879213,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"joz-phu-bj6","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046608383,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046608383,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046608383,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046608383,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"9gx-e5x-wxl","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607880,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607880,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cmg-7ok-iws","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607019,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607019,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607019,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607019,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"fc2-mmz-xme","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606743,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606743,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606743,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606743,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cw4-gei-lqg","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606184,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606184,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606184,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606184,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"djb-5it-syy","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046605699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046605699,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046605699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046605699,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"2be-cfa-xhr","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960183272,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960183272,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960183272,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960183272,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5dp-tcj-tbm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960182731,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960182731,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960182731,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960182731,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"a0m-zaf-0a8","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181838,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181838,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181838,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181838,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"erx-pyz-xft","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181554,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181554,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181554,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181554,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ydh-fsm-slz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181024,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181024,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181024,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181024,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5pp-60h-keq","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960180438,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960180438,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960180438,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960180438,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"xyn-fkc-osi","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852793,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852793,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852793,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852793,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"llg-x6t-jjq","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852043,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852043,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852043,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852043,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"q1s-ejx-xq3","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850880,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850880,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"zw4-cad-dro","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850490,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850490,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850490,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850490,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"rik-8jl-7nr","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849810,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849810,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849810,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849810,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"vih-vom-ryl","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849102,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849102,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849102,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849102,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"mhl-gkn-bun","attributes":{"version":6,"name":"pci_11_5_critical_binaries_unlink","description":"Critical system binaries may have been modified","expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", @@ -430,23 +404,24 @@ interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1606142933669,"updateDate":1699614659146,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j3f-cie-47b","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699614659146,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j3f-cie-47b","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A kernel module was loaded from memory","expression":"load_module.loaded_from_memory - == true","category":"Kernel Activity","creationDate":1650293718630,"updateDate":1699614659145,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"my1-vln-8fq","attributes":{"version":3,"name":"cryptominer_args","description":"A + == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718630,"updateDate":1699614659145,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"my1-vln-8fq","attributes":{"version":3,"name":"cryptominer_args","description":"A process launched with arguments associated with cryptominers","expression":"exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args in [~\"*stratum+tcp*\"]","category":"Process - Activity","creationDate":0,"updateDate":1699614656177,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"us6-p6v-hbj","attributes":{"version":2,"name":"tar_execution","description":"Tar + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614656177,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"us6-p6v-hbj","attributes":{"version":2,"name":"tar_execution","description":"Tar archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags - in [\"create\",\"c\"]","category":"Process Activity","creationDate":0,"updateDate":1699614655670,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vky-y2i-mvh","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A + in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614655670,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vky-y2i-mvh","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.parent.file.name == \"java\"","category":"Process Activity","creationDate":0,"updateDate":1699614653571,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohe-vlf-t2h","attributes":{"version":9,"name":"ssl_certificate_tampering_chown","description":"SSL + process.parent.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614653571,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohe-vlf-t2h","attributes":{"version":9,"name":"ssl_certificate_tampering_chown","description":"SSL certificates may have been tampered with","expression":"(\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", @@ -456,36 +431,30 @@ interactions: process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1606142980369,"updateDate":1699614645120,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abo-w0g-emz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584761,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584761,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1699614645120,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abo-w0g-emz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584761,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584761,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yyr-62t-pwg","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584201,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584201,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584201,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584201,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"s87-olo-akk","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583309,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583309,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583309,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583309,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"hqc-ilw-6pg","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583007,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583007,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583007,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583007,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5ik-iyy-ry4","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614582497,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614582497,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614582497,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614582497,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"0mj-ptm-mcq","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614581944,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614581944,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614581944,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614581944,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"awr-mtg-lce","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A known kubernetes pentesting tool has been executed","expression":"(exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process - Activity","creationDate":0,"updateDate":1699605598275,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qng-psi-j15","attributes":{"version":5,"name":"runc_modification","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605598275,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qng-psi-j15","attributes":{"version":5,"name":"runc_modification","description":"The runc binary was modified in a non-standard way","expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", @@ -494,20 +463,20 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","creationDate":1627392837049,"updateDate":1699605592780,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlh-msh-elx","attributes":{"version":1,"name":"redis_save_module","description":"Redis + Activity","defaultRule":true,"enabled":true,"creationDate":1627392837049,"updateDate":1699605592780,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlh-msh-elx","attributes":{"version":1,"name":"redis_save_module","description":"Redis module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File - Activity","creationDate":0,"updateDate":1699605590262,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i0s-yb1-hnl","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605590262,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i0s-yb1-hnl","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in - [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","creationDate":0,"updateDate":1699605585597,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki7-koc-icf","attributes":{"version":2,"name":"apparmor_modified_tty","description":"An + [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605585597,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki7-koc-icf","attributes":{"version":2,"name":"apparmor_modified_tty","description":"An AppArmor profile was modified in an interactive session","expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process - Activity","creationDate":1627392836162,"updateDate":1699605581360,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kzh-5hn-edg","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chmod","description":"Critical + Activity","defaultRule":true,"enabled":true,"creationDate":1627392836162,"updateDate":1699605581360,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kzh-5hn-edg","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chmod","description":"Critical system binaries may have been modified","expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in @@ -516,7 +485,7 @@ interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1606142933669,"updateDate":1699605577106,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rm1-b8h-cec","attributes":{"version":5,"name":"pci_11_5_critical_binaries_link","description":"Critical + && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605577106,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rm1-b8h-cec","attributes":{"version":5,"name":"pci_11_5_critical_binaries_link","description":"Critical system binaries may have been modified","expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path @@ -527,15 +496,15 @@ interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1606142933669,"updateDate":1699605575176,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zk5-jeo-579","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC + Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605575176,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zk5-jeo-579","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","creationDate":0,"updateDate":1699605566454,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"je9-er4-njy","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605566454,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"je9-er4-njy","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel - Activity","creationDate":1635332067172,"updateDate":1699605560892,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yly-big-wfq","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chown","description":"Critical + Activity","defaultRule":true,"enabled":true,"creationDate":1635332067172,"updateDate":1699605560892,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yly-big-wfq","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chown","description":"Critical system binaries may have been modified","expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in @@ -545,7 +514,7 @@ interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","category":"File Activity","creationDate":1606142933669,"updateDate":1699605558253,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ef-efv-07c","attributes":{"version":5,"name":"pci_11_5_critical_binaries_utimes","description":"Critical + != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605558253,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ef-efv-07c","attributes":{"version":5,"name":"pci_11_5_critical_binaries_utimes","description":"Critical system binaries may have been modified","expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in @@ -554,7 +523,7 @@ interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1606142933669,"updateDate":1699605550430,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1vg-wvn-jeo","attributes":{"version":5,"name":"pci_11_5_critical_binaries_rename","description":"Critical + Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605550430,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1vg-wvn-jeo","attributes":{"version":5,"name":"pci_11_5_critical_binaries_rename","description":"Critical system binaries may have been modified","expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path @@ -565,43 +534,43 @@ interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1606142933669,"updateDate":1699605548906,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"332-1wp-nhi","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1699375258346,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1699375258346,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pn7-9wx-enb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130893,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130893,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605548906,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"332-1wp-nhi","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1699375258346,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1699375258346,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pn7-9wx-enb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130893,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130893,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"zag-uxd-4rh","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130586,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130586,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130586,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130586,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"gj1-f5n-atq","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130040,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130040,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130040,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130040,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"xoa-393-gtb","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129856,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129856,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129856,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129856,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"wib-odd-eos","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129533,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129533,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129533,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129533,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"zi0-hgn-9ec","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129209,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129209,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129209,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129209,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"oce-aqj-x6b","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185616079,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185616079,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185616079,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185616079,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"cdt-p7e-q1b","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185615169,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185615169,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185615169,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185615169,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"wgo-mps-djd","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185614427,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185614427,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185614427,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185614427,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"odr-ipk-wvx","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185613924,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185613924,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185613924,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185613924,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"nb1-dkb-bwz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185612915,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185612915,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185612915,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185612915,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"t2g-qma-f5b","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185611378,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185611378,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"Sherzod + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185611378,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185611378,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"pwg-71z-aob","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL certificates may have been tampered with","expression":"(\n open.flags @@ -611,96 +580,96 @@ interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name !~ \"runc*\"\n&& container.created_at > 180s","category":"File - Activity","creationDate":0,"updateDate":1688748504240,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zuq-yfd-hun","attributes":{"version":1,"name":"deploy_priv_container","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748504240,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zuq-yfd-hun","attributes":{"version":1,"name":"deploy_priv_container","description":"A privileged container was created","expression":"exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process - Activity","creationDate":0,"updateDate":1688748488881,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ayp-cd9-j3f","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748488881,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ayp-cd9-j3f","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local account groups were enumerated after container start up","expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","category":"Process Activity","creationDate":0,"updateDate":1688748485348,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x3k-0en-bhm","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH + in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748485348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x3k-0en-bhm","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n) && container.created_at > 180s","category":"File Activity","creationDate":0,"updateDate":1688748480895,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kmx-s3s-htb","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch + ])\n) && container.created_at > 180s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748480895,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kmx-s3s-htb","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch may have been modified without authorization","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n) && container.created_at > 180s","category":"File Activity","creationDate":0,"updateDate":1688748480617,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdh-b1k-i0e","attributes":{"version":1,"name":"suid_file_execution","description":"a + ])\n) && container.created_at > 180s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748480617,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdh-b1k-i0e","attributes":{"version":1,"name":"suid_file_execution","description":"a SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid - != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","creationDate":0,"updateDate":1688748479473,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqu-01q-fmr","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A + != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748479473,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqu-01q-fmr","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at - > 180s","category":"Process Activity","creationDate":0,"updateDate":1688748479210,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"igw-lex-dzw","attributes":{"version":1,"name":"hidden_file_executed","description":"A + > 180s","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748479210,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"igw-lex-dzw","attributes":{"version":1,"name":"hidden_file_executed","description":"A hidden file was executed in a suspicious folder","expression":"exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","category":"Process Activity","creationDate":0,"updateDate":1688748474266,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ixh-tff-n0g","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell + ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748474266,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ixh-tff-n0g","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File - Activity","creationDate":0,"updateDate":1688748474208,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"84k-f4f-yx8","attributes":{"version":4,"name":"python_cli_code","description":"Python + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748474208,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"84k-f4f-yx8","attributes":{"version":4,"name":"python_cli_code","description":"Python code was provided on the command line","expression":"exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process - Activity","creationDate":0,"updateDate":1688748470573,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-ylu-udm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740629202,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740629202,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tfj-qbi-njb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740550818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740550818,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"otj-idk-ece","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740379706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740379706,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"l88-cpw-jvx","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688739737197,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688739737197,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kcw-scc-5ve","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688677455854,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688677455854,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lg7-iv9-wts","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748470573,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-ylu-udm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740629202,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740629202,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tfj-qbi-njb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740550818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740550818,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"otj-idk-ece","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740379706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740379706,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"l88-cpw-jvx","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688739737197,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688739737197,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kcw-scc-5ve","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688677455854,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688677455854,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lg7-iv9-wts","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":0,"updateDate":1684185006444,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lxo-jgz-gtv","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185006444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lxo-jgz-gtv","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || - chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":0,"updateDate":1684185001787,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vu4-g2z-6yx","attributes":{"version":1,"name":"user_deleted_tty","description":"A + chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185001787,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vu4-g2z-6yx","attributes":{"version":1,"name":"user_deleted_tty","description":"A user was deleted via an interactive session","expression":"exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process - Activity","creationDate":0,"updateDate":1684185000708,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dgj-0mh-asf","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185000708,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dgj-0mh-asf","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","category":"File Activity","creationDate":0,"updateDate":1684184996909,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6t0-pxf-oag","attributes":{"version":1,"name":"curl_docker_socket","description":"The + == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184996909,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6t0-pxf-oag","attributes":{"version":1,"name":"curl_docker_socket","description":"The Docker socket was referenced in a cURL command","expression":"exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [\"*docker.sock*\"] - && container.id != \"\"","category":"Process Activity","creationDate":0,"updateDate":1684184996292,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"07x-ilo-vbw","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers + && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184996292,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"07x-ilo-vbw","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","creationDate":0,"updateDate":1684184995498,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vbb-8oz-uj8","attributes":{"version":1,"name":"read_release_info","description":"OS + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184995498,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vbb-8oz-uj8","attributes":{"version":1,"name":"read_release_info","description":"OS information was read from the /etc/lsb-release file","expression":"open.file.path - == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","creationDate":0,"updateDate":1684184994303,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxb-abz-bnu","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers + == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184994303,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxb-abz-bnu","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (chmod.file.path == \"/etc/sudoers\") \n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","creationDate":0,"updateDate":1684184993817,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wxp-zv6-mdg","attributes":{"version":1,"name":"kmod_list","description":"Kernel + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184993817,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wxp-zv6-mdg","attributes":{"version":1,"name":"kmod_list","description":"Kernel modules were listed using the kmod command","expression":"exec.comm == \"kmod\" - && exec.args in [~\"*list*\"]","category":"Process Activity","creationDate":0,"updateDate":1684184992493,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0on-nzp-luo","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers + && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184992493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0on-nzp-luo","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers policy file may have been modified without authorization","expression":"\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","creationDate":0,"updateDate":1684184992340,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rsp-g6i-jdi","attributes":{"version":1,"name":"service_stop","description":"systemctl + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184992340,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rsp-g6i-jdi","attributes":{"version":1,"name":"service_stop","description":"systemctl used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args - in [~\"*stop*\"]","category":"Process Activity","creationDate":0,"updateDate":1684184991238,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d5p-vk6-w0f","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel + in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184991238,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d5p-vk6-w0f","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process - Activity","creationDate":0,"updateDate":1684184990877,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ich-3ke-cor","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184990877,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ich-3ke-cor","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers policy file may have been modified without authorization","expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","creationDate":0,"updateDate":1684184985910,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdy-kcq-q0v","attributes":{"version":1,"name":"read_kubeconfig","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184985910,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdy-kcq-q0v","attributes":{"version":1,"name":"read_kubeconfig","description":"The kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", - \"/root/.kube/config\"]","category":"File Activity","creationDate":0,"updateDate":1684184984191,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yij-lei-ykx","attributes":{"version":1,"name":"exec_whoami","description":"The + \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184984191,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yij-lei-ykx","attributes":{"version":1,"name":"exec_whoami","description":"The whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process - Activity","creationDate":0,"updateDate":1684184982050,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fjh-jmi-fbi","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184982050,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fjh-jmi-fbi","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The auditd rules file was modified without using auditctl","expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File - Activity","creationDate":0,"updateDate":1681490457848,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"div-3ym-esz","attributes":{"version":1,"name":"auditd_config_modified","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490457848,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"div-3ym-esz","attributes":{"version":1,"name":"auditd_config_modified","description":"The auditd configuration file was modified without using auditctl","expression":"open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && process.file.name != \"auditctl\"","category":"File Activity","creationDate":0,"updateDate":1681490453830,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"swo-jyw-vtb","attributes":{"version":5,"name":"aws_eks_service_account_token_accessed","description":"The + > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490453830,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"swo-jyw-vtb","attributes":{"version":5,"name":"aws_eks_service_account_token_accessed","description":"The AWS EKS service account token was accessed","expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", @@ -708,14 +677,14 @@ interactions: \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681490453789,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2p0-3i2-b4y","attributes":{"version":9,"name":"ssl_certificate_tampering_open","description":"SSL + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490453789,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2p0-3i2-b4y","attributes":{"version":9,"name":"ssl_certificate_tampering_open","description":"SSL certificates may have been tampered with","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1681490451189,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ybu-yya-acz","attributes":{"version":9,"name":"ssl_certificate_tampering_chmod","description":"SSL + process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490451189,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ybu-yya-acz","attributes":{"version":9,"name":"ssl_certificate_tampering_chmod","description":"SSL certificates may have been tampered with","expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", @@ -725,9 +694,9 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name - !~ \"runc*\"","category":"File Activity","creationDate":1606142980369,"updateDate":1681490448291,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kek-yib-peb","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell + !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490448291,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kek-yib-peb","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell History was Deleted","expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") - && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","creationDate":0,"updateDate":1681490445819,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"w07-amm-bxr","attributes":{"version":10,"name":"ssl_certificate_tampering_utimes","description":"SSL + && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490445819,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"w07-amm-bxr","attributes":{"version":10,"name":"ssl_certificate_tampering_utimes","description":"SSL certificates may have been tampered with","expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -736,11 +705,11 @@ interactions: != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":0,"updateDate":1681490443753,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pti-xku-k7y","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell + process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490443753,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pti-xku-k7y","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File - Activity","creationDate":0,"updateDate":1681490441112,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jin-icc-lpi","attributes":{"version":8,"name":"ssl_certificate_tampering_unlink","description":"SSL + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490441112,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jin-icc-lpi","attributes":{"version":8,"name":"ssl_certificate_tampering_unlink","description":"SSL certificates may have been tampered with","expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -749,7 +718,7 @@ interactions: != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1606142980369,"updateDate":1681490440557,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aby-cmp-yrd","attributes":{"version":2,"name":"dynamic_linker_config_write","description":"A + process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490440557,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aby-cmp-yrd","attributes":{"version":2,"name":"dynamic_linker_config_write","description":"A process wrote to a dynamic linker config file","expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path @@ -760,7 +729,7 @@ interactions: \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","creationDate":0,"updateDate":1681490436787,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nq-ugi-gu1","attributes":{"version":8,"name":"ssl_certificate_tampering_link","description":"SSL + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490436787,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nq-ugi-gu1","attributes":{"version":8,"name":"ssl_certificate_tampering_link","description":"SSL certificates may have been tampered with","expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path @@ -770,7 +739,7 @@ interactions: != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.file.name !~ \"runc*\"\n)","category":"File Activity","creationDate":1606142980369,"updateDate":1681490436302,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qzs-yvl-f4t","attributes":{"version":8,"name":"ssl_certificate_tampering_rename","description":"SSL + process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490436302,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qzs-yvl-f4t","attributes":{"version":8,"name":"ssl_certificate_tampering_rename","description":"SSL certificates may have been tampered with","expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path @@ -780,31 +749,31 @@ interactions: != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","creationDate":1606142980369,"updateDate":1681490435881,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9hn-ukg-ek1","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899530,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899530,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ulc-8ym-1ch","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899155,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899155,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zja-jqt-rpm","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898613,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898613,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"2ov-h11-m4w","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898408,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898408,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"shb-0xv-eib","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898061,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898061,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"psp-nbn-dtg","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222897739,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222897739,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mcq-6by-989","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856493876,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856493876,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tci-5f7-cis","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856492960,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856492960,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mey-lit-gzs","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856491445,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856491445,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4ve-rws-nw0","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490988,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490988,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9aa-y0q-rrc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490077,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490077,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tvd-3p1-cai","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856489180,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856489180,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"asy-mod-zmt","attributes":{"version":5,"name":"user_created_tty","description":"A + process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490435881,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9hn-ukg-ek1","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899530,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899530,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ulc-8ym-1ch","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899155,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899155,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zja-jqt-rpm","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898613,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898613,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"2ov-h11-m4w","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898408,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898408,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"shb-0xv-eib","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898061,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898061,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"psp-nbn-dtg","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222897739,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222897739,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mcq-6by-989","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856493876,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856493876,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tci-5f7-cis","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856492960,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856492960,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mey-lit-gzs","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856491445,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856491445,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4ve-rws-nw0","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490988,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490988,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9aa-y0q-rrc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490077,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490077,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tvd-3p1-cai","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856489180,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856489180,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"asy-mod-zmt","attributes":{"version":5,"name":"user_created_tty","description":"A user was created via an interactive session","expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && exec.args_flags not in [\"D\"]","category":"Process Activity","creationDate":1627392836979,"updateDate":1677793421528,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rek-wb4-s7y","attributes":{"version":7,"name":"systemd_modification_rename","description":"A + && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1627392836979,"updateDate":1677793421528,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rek-wb4-s7y","attributes":{"version":7,"name":"systemd_modification_rename","description":"A service may have been modified without authorization","expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793418528,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4fh-bb7-747","attributes":{"version":11,"name":"credential_modified_chmod","description":"Sensitive + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793418528,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4fh-bb7-747","attributes":{"version":11,"name":"credential_modified_chmod","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -814,36 +783,36 @@ interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","creationDate":1598516746271,"updateDate":1677793414173,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yiy-mba-pny","attributes":{"version":5,"name":"common_net_intrusion_util","description":"A + && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793414173,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yiy-mba-pny","attributes":{"version":5,"name":"common_net_intrusion_util","description":"A network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process - Activity","creationDate":1617722067554,"updateDate":1677793413474,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3tj-btx-kvo","attributes":{"version":5,"name":"package_management_in_container","description":"Package + Activity","defaultRule":true,"enabled":true,"creationDate":1617722067554,"updateDate":1677793413474,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3tj-btx-kvo","attributes":{"version":5,"name":"package_management_in_container","description":"Package management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && container.id != \"\"","category":"Process Activity","creationDate":1617722067648,"updateDate":1677793413044,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oio-i4o-xzw","attributes":{"version":1,"name":"tty_shell_in_container","description":"A + && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722067648,"updateDate":1677793413044,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oio-i4o-xzw","attributes":{"version":1,"name":"tty_shell_in_container","description":"A shell with a TTY was executed in a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process - Activity","creationDate":0,"updateDate":1677793412844,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qdc-oqx-zsx","attributes":{"version":8,"name":"systemd_modification_chown","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412844,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qdc-oqx-zsx","attributes":{"version":8,"name":"systemd_modification_chown","description":"A service may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":0,"updateDate":1677793412379,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pwh-omk-qrr","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412379,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pwh-omk-qrr","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A container executed a new binary not found in the container image","expression":"container.id != \"\" && process.file.in_upper_layer && process.file.modification_time < - 30s && exec.file.name != \"\"","category":"Process Activity","creationDate":1652129906455,"updateDate":1677793412378,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bgs-kbk-xkh","attributes":{"version":7,"name":"systemd_modification_link","description":"A + 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1652129906455,"updateDate":1677793412378,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bgs-kbk-xkh","attributes":{"version":7,"name":"systemd_modification_link","description":"A service may have been modified without authorization","expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793412375,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tmh-now-e61","attributes":{"version":6,"name":"pci_11_5_critical_binaries_open","description":"Critical + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412375,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tmh-now-e61","attributes":{"version":6,"name":"pci_11_5_critical_binaries_open","description":"Critical system binaries may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", @@ -853,24 +822,24 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1606142933669,"updateDate":1677793410974,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxs-kt6-5gt","attributes":{"version":7,"name":"systemd_modification_unlink","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1677793410974,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxs-kt6-5gt","attributes":{"version":7,"name":"systemd_modification_unlink","description":"A service may have been modified without authorization","expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793406609,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohp-ags-xpk","attributes":{"version":4,"name":"pam_modification_utimes","description":"PAM + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793406609,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohp-ags-xpk","attributes":{"version":4,"name":"pam_modification_utimes","description":"PAM may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142936138,"updateDate":1677793405837,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"t8w-eul-chf","attributes":{"version":7,"name":"systemd_modification_utimes","description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1677793405837,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"t8w-eul-chf","attributes":{"version":7,"name":"systemd_modification_utimes","description":"A service may have been modified without authorization","expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":0,"updateDate":1677793405627,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ay7-jkz-rda","attributes":{"version":10,"name":"credential_modified_unlink","description":"Sensitive + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793405627,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ay7-jkz-rda","attributes":{"version":10,"name":"credential_modified_unlink","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -880,7 +849,7 @@ interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1598516746271,"updateDate":1677793404797,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpw-paa-smb","attributes":{"version":10,"name":"kernel_module_utimes","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793404797,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpw-paa-smb","attributes":{"version":10,"name":"kernel_module_utimes","description":"A new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -888,7 +857,7 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793402985,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c4t-pxu-ixk","attributes":{"version":10,"name":"kernel_module_unlink","description":"A + != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793402985,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c4t-pxu-ixk","attributes":{"version":10,"name":"kernel_module_unlink","description":"A new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -896,7 +865,7 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793402725,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ec9-vff-7ni","attributes":{"version":9,"name":"kernel_module_link","description":"A + != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793402725,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ec9-vff-7ni","attributes":{"version":9,"name":"kernel_module_link","description":"A new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", @@ -905,7 +874,7 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793401708,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5z-tke-sjm","attributes":{"version":10,"name":"credential_modified_link","description":"Sensitive + != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793401708,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5z-tke-sjm","attributes":{"version":10,"name":"credential_modified_link","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in @@ -916,7 +885,7 @@ interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1598516746271,"updateDate":1677793401181,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eoy-4fe-q7q","attributes":{"version":11,"name":"credential_modified_chown","description":"Sensitive + Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793401181,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eoy-4fe-q7q","attributes":{"version":11,"name":"credential_modified_chown","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -927,7 +896,7 @@ interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","category":"File Activity","creationDate":1598516746271,"updateDate":1677793399502,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cd0-w8q-vl4","attributes":{"version":11,"name":"kernel_module_chown","description":"A + != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793399502,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cd0-w8q-vl4","attributes":{"version":11,"name":"kernel_module_chown","description":"A new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -936,9 +905,9 @@ interactions: \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || - chown.file.destination.gid != chown.file.gid)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793397722,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-80r-qih","attributes":{"version":1,"name":"dummy_rule_BAiZP","description":"Execution + chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793397722,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-80r-qih","attributes":{"version":1,"name":"dummy_rule_BAiZP","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677793394115,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677793394115,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mpb-1rj-dv6","attributes":{"version":9,"name":"kernel_module_rename","description":"A + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677793394115,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677793394115,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mpb-1rj-dv6","attributes":{"version":9,"name":"kernel_module_rename","description":"A new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", @@ -947,7 +916,7 @@ interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1677793394010,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ac4-asc-qi4","attributes":{"version":10,"name":"credential_modified_rename","description":"Sensitive + != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793394010,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ac4-asc-qi4","attributes":{"version":10,"name":"credential_modified_rename","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in @@ -958,9 +927,9 @@ interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","creationDate":1598516746271,"updateDate":1677793391290,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gtx-vpl-ror","attributes":{"version":1,"name":"dummy_rule_lszUX","description":"Execution + Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793391290,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gtx-vpl-ror","attributes":{"version":1,"name":"dummy_rule_lszUX","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1675978633464,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1675978633464,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xye-pfo-y0r","attributes":{"version":9,"name":"kernel_module_open","description":"A + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1675978633464,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1675978633464,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xye-pfo-y0r","attributes":{"version":9,"name":"kernel_module_open","description":"A new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", @@ -968,7 +937,7 @@ interactions: \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && - process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","creationDate":1598516746168,"updateDate":1674486423764,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cmu-g58-cau","attributes":{"version":6,"name":"cron_at_job_creation_rename","description":"An + process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1674486423764,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cmu-g58-cau","attributes":{"version":6,"name":"cron_at_job_creation_rename","description":"An unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", @@ -976,29 +945,29 @@ interactions: ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486423628,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sna-hgh-vo4","attributes":{"version":3,"name":"dynamic_linker_config_unlink","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486423628,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sna-hgh-vo4","attributes":{"version":3,"name":"dynamic_linker_config_unlink","description":"A process unlinked a dynamic linker config file","expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\"]","category":"File Activity","creationDate":0,"updateDate":1674486422738,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"efc-svz-7hu","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A + \"/sbin/apk\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486422738,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"efc-svz-7hu","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A web application spawned a shell or shell utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] - || process.parent.file.name =~ \"php*\")","category":"Process Activity","creationDate":0,"updateDate":1674486413493,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tna-ty5-e7c","attributes":{"version":1,"name":"mount_host_fs","description":"The + || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486413493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tna-ty5-e7c","attributes":{"version":1,"name":"mount_host_fs","description":"The host file system was mounted in a container","expression":"mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File - Activity","creationDate":0,"updateDate":1674486412444,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygi-ozn-m5d","attributes":{"version":1,"name":"memfd_create","description":"memfd + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486412444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygi-ozn-m5d","attributes":{"version":1,"name":"memfd_create","description":"memfd object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path - == \"\"","category":"Process Activity","creationDate":0,"updateDate":1674486411993,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nlp-lzc-rcf","attributes":{"version":5,"name":"systemd_modification_open","description":"A + == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486411993,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nlp-lzc-rcf","attributes":{"version":5,"name":"systemd_modification_open","description":"A service may have been modified without authorization","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n)","category":"File - Activity","creationDate":1606142929241,"updateDate":1674486408888,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"avt-p2e-fyc","attributes":{"version":9,"name":"kernel_module_chmod","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1606142929241,"updateDate":1674486408888,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"avt-p2e-fyc","attributes":{"version":9,"name":"kernel_module_chmod","description":"A new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", @@ -1006,21 +975,21 @@ interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1598516746168,"updateDate":1674486407158,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ipa-v3l-kt6","attributes":{"version":7,"name":"cron_at_job_creation_chmod","description":"An + != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1674486407158,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ipa-v3l-kt6","attributes":{"version":7,"name":"cron_at_job_creation_chmod","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486406983,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xl-qds-f0e","attributes":{"version":7,"name":"cron_at_job_creation_chown","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406983,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xl-qds-f0e","attributes":{"version":7,"name":"cron_at_job_creation_chown","description":"An unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486406776,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gu-pqy-o1a","attributes":{"version":7,"name":"cron_at_job_creation_link","description":"An + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406776,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gu-pqy-o1a","attributes":{"version":7,"name":"cron_at_job_creation_link","description":"An unauthorized job was added to cron scheduling","expression":"(\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", @@ -1028,14 +997,14 @@ interactions: ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486406604,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygn-d8o-ncr","attributes":{"version":7,"name":"cron_at_job_creation_utimes","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406604,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygn-d8o-ncr","attributes":{"version":7,"name":"cron_at_job_creation_utimes","description":"An unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486406387,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psd-3el-h33","attributes":{"version":9,"name":"credential_modified_utimes","description":"Sensitive + Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406387,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psd-3el-h33","attributes":{"version":9,"name":"credential_modified_utimes","description":"Sensitive credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -1045,359 +1014,359 @@ interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n)","category":"File - Activity","creationDate":1598516746271,"updateDate":1674486406248,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atu-tci-bjn","attributes":{"version":7,"name":"cron_at_job_creation_unlink","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1674486406248,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atu-tci-bjn","attributes":{"version":7,"name":"cron_at_job_creation_unlink","description":"An unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","creationDate":1606142961130,"updateDate":1674486405229,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"onm-dqu-jly","attributes":{"version":7,"name":"cron_at_job_creation_open","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486405229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"onm-dqu-jly","attributes":{"version":7,"name":"cron_at_job_creation_open","description":"An unauthorized job was added to cron scheduling","expression":"(\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","creationDate":1606142961130,"updateDate":1674486404864,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kuu-k1s-gqz","attributes":{"version":6,"name":"systemd_modification_chmod","description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486404864,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kuu-k1s-gqz","attributes":{"version":6,"name":"systemd_modification_chmod","description":"A service may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File - Activity","creationDate":1606142929241,"updateDate":1674486404846,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnh-eio-mow","attributes":{"version":2,"name":"ptrace_antidebug","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1606142929241,"updateDate":1674486404846,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnh-eio-mow","attributes":{"version":2,"name":"ptrace_antidebug","description":"A process uses an anti-debugging technique to block debuggers","expression":"ptrace.request - == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","creationDate":1650293718435,"updateDate":1670604150759,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f5y-pdn-pnj","attributes":{"version":4,"name":"kernel_module_load","description":"A + == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718435,"updateDate":1670604150759,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f5y-pdn-pnj","attributes":{"version":4,"name":"kernel_module_load","description":"A kernel module was loaded","expression":"load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", - \"ssm-agent-worker\"]","category":"Kernel Activity","creationDate":1650293718458,"updateDate":1670604150549,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ddh-ld5-2rj","attributes":{"version":1,"name":"aws_imds","description":"An + \"ssm-agent-worker\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718458,"updateDate":1670604150549,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ddh-ld5-2rj","attributes":{"version":1,"name":"aws_imds","description":"An AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process - Activity","creationDate":0,"updateDate":1670604150281,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"enj-kdc-1tt","attributes":{"version":1,"name":"net_file_download","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150281,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"enj-kdc-1tt","attributes":{"version":1,"name":"net_file_download","description":"A suspicious file was written by a network utility","expression":"open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", - ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","creationDate":0,"updateDate":1670604150067,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wew-y1h-1um","attributes":{"version":1,"name":"compile_after_delivery","description":"A + ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150067,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wew-y1h-1um","attributes":{"version":1,"name":"compile_after_delivery","description":"A compiler wrote a suspicious file in a container","expression":"open.flags & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& - container.id != \"\"","category":"File Activity","creationDate":0,"updateDate":1670604150062,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ct9-og0-h7h","attributes":{"version":1,"name":"net_unusual_request","description":"Network + container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150062,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ct9-og0-h7h","attributes":{"version":1,"name":"net_unusual_request","description":"Network utility executed with suspicious URI","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process - Activity","creationDate":0,"updateDate":1670604150059,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9dx-svj-apj","attributes":{"version":1,"name":"azure_imds","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150059,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9dx-svj-apj","attributes":{"version":1,"name":"azure_imds","description":"An Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process - Activity","creationDate":0,"updateDate":1670604150058,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sah-xju-jcq","attributes":{"version":1,"name":"gcp_imds","description":"An + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150058,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sah-xju-jcq","attributes":{"version":1,"name":"gcp_imds","description":"An GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process - Activity","creationDate":0,"updateDate":1670604150002,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmk-0g6-4qu","attributes":{"version":1,"name":"dummy_rule_VxNSK","description":"Execution + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150002,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmk-0g6-4qu","attributes":{"version":1,"name":"dummy_rule_VxNSK","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1668731826060,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1668731826060,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uze-gr4-sfh","attributes":{"version":1,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1667938921652,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1667938921652,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mgd-dmc-zta","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1668731826060,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1668731826060,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uze-gr4-sfh","attributes":{"version":1,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1667938921652,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1667938921652,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mgd-dmc-zta","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An interactive shell was started inside of a container","expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process - Activity","creationDate":0,"updateDate":1666888169595,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3lt-gov-2yu","attributes":{"version":4,"name":"net_util","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1666888169595,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3lt-gov-2yu","attributes":{"version":4,"name":"net_util","description":"A network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","creationDate":1642158534952,"updateDate":1666888163498,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jx4-pkv-247","attributes":{"version":2,"name":"dirty_pipe_attempt","description":"Potential + Activity","defaultRule":true,"enabled":true,"creationDate":1642158534952,"updateDate":1666888163498,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jx4-pkv-247","attributes":{"version":2,"name":"dirty_pipe_attempt","description":"Potential Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid - != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123603,"updateDate":1666888163347,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ifl-wfe-sch","attributes":{"version":6,"name":"net_util_in_container","description":"A + != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1648564123603,"updateDate":1666888163347,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ifl-wfe-sch","attributes":{"version":6,"name":"net_util_in_container","description":"A network utility was executed in a container","expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","creationDate":1617722068439,"updateDate":1666888163319,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aux-r7v-odv","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential + Activity","defaultRule":true,"enabled":true,"creationDate":1617722068439,"updateDate":1666888163319,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aux-r7v-odv","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) - > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","creationDate":1648564123563,"updateDate":1666888163318,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vri-cjo-ywh","attributes":{"version":2,"name":"pwnkit_privilege_escalation","description":"A + > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1648564123563,"updateDate":1666888163318,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vri-cjo-ywh","attributes":{"version":2,"name":"pwnkit_privilege_escalation","description":"A process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process - Activity","creationDate":1643639113864,"updateDate":1666888163135,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ejk-rbu-v9x","attributes":{"version":3,"name":"passwd_execution","description":"The + Activity","defaultRule":true,"enabled":true,"creationDate":1643639113864,"updateDate":1666888163135,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ejk-rbu-v9x","attributes":{"version":3,"name":"passwd_execution","description":"The passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in - [\"S\", \"status\"]","category":"Process Activity","creationDate":1617722068383,"updateDate":1666888162106,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pej-frv-8lb","attributes":{"version":2,"name":"java_shell_execution","description":"A + [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722068383,"updateDate":1666888162106,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pej-frv-8lb","attributes":{"version":2,"name":"java_shell_execution","description":"A java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.ancestors.file.name == \"java\"","category":"Process Activity","creationDate":1617722069224,"updateDate":1666888161764,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-jd2-obf","attributes":{"version":1,"name":"dummy_rule_cdxqn","description":"Execution + process.ancestors.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722069224,"updateDate":1666888161764,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-jd2-obf","attributes":{"version":1,"name":"dummy_rule_cdxqn","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666320581140,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666320581140,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xae-nwo-v33","attributes":{"version":1,"name":"dummy_rule_iNwDw","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666320581140,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666320581140,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xae-nwo-v33","attributes":{"version":1,"name":"dummy_rule_iNwDw","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666305602255,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666305602255,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvp-ggu-cvk","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706668670,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706791898,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vx9-lii-nnm","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706690162,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706690162,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xur-uya-vqn","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706656639,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706656639,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"96x-aqb-3yh","attributes":{"version":1,"name":"dummy_rule_RMoJm","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666305602255,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666305602255,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvp-ggu-cvk","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706668670,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706791898,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vx9-lii-nnm","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706690162,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706690162,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xur-uya-vqn","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706656639,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706656639,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"96x-aqb-3yh","attributes":{"version":1,"name":"dummy_rule_RMoJm","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706171079,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706171079,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"smc-exb-ymp","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706171079,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706171079,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"smc-exb-ymp","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","category":"Process - Activity","creationDate":0,"updateDate":1665475122471,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fak-u9s-pac","attributes":{"version":4,"name":"pam_modification_chown","description":"PAM + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1665475122471,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fak-u9s-pac","attributes":{"version":4,"name":"pam_modification_chown","description":"PAM may have been modified without authorization","expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1606142936138,"updateDate":1665475121157,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki2-nwj-sot","attributes":{"version":4,"name":"nsswitch_conf_mod_chmod","description":"nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1665475121157,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki2-nwj-sot","attributes":{"version":4,"name":"nsswitch_conf_mod_chmod","description":"nsswitch may have been modified without authorization","expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File - Activity","creationDate":1606142958657,"updateDate":1665475120054,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"12k-ui3-z4h","attributes":{"version":4,"name":"pam_modification_chmod","description":"PAM + Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1665475120054,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"12k-ui3-z4h","attributes":{"version":4,"name":"pam_modification_chmod","description":"PAM may have been modified without authorization","expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1606142936138,"updateDate":1665475102566,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ien-7aw-blw","attributes":{"version":4,"name":"ssh_authorized_keys_chown","description":"SSH + != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1665475102566,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ien-7aw-blw","attributes":{"version":4,"name":"ssh_authorized_keys_chown","description":"SSH modified keys may have been modified","expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","creationDate":1606142954844,"updateDate":1665475102281,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqc-lta-u8c","attributes":{"version":4,"name":"ssh_authorized_keys_chmod","description":"SSH + Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1665475102281,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqc-lta-u8c","attributes":{"version":4,"name":"ssh_authorized_keys_chmod","description":"SSH modified keys may have been modified","expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","creationDate":1606142954844,"updateDate":1665475100348,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m1y-sk8-b4c","attributes":{"version":1,"name":"dummy_rule_xkrhu","description":"Execution + != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1665475100348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m1y-sk8-b4c","attributes":{"version":1,"name":"dummy_rule_xkrhu","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129615755,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129615755,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"19v-30b-0xf","attributes":{"version":1,"name":"dummy_rule","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129615755,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129615755,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"19v-30b-0xf","attributes":{"version":1,"name":"dummy_rule","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129432848,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129432848,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ehj-52q-wq0","attributes":{"version":1,"name":"shell_history_symlink","description":"A + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129432848,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129432848,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ehj-52q-wq0","attributes":{"version":1,"name":"shell_history_symlink","description":"A symbolic link for shell history was created targeting /dev/null","expression":"exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process - Activity","creationDate":0,"updateDate":1661193980229,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gp1-mai-dlc","attributes":{"version":1,"name":"new_java_detect_sync_test_us1_prod","description":"Execution + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1661193980229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gp1-mai-dlc","attributes":{"version":1,"name":"new_java_detect_sync_test_us1_prod","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661183150504,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661183150504,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ai3-b8g-lbc","attributes":{"version":1,"name":"new_java_detect_sync_test_prod","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661183150504,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661183150504,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ai3-b8g-lbc","attributes":{"version":1,"name":"new_java_detect_sync_test_prod","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182864424,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182864424,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tmz-dqc-yml","attributes":{"version":1,"name":"new_java_detect_sync_test","description":"Execution + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182864424,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182864424,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tmz-dqc-yml","attributes":{"version":1,"name":"new_java_detect_sync_test","description":"Execution of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182722064,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182722064,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ez9-ozl-3lz","attributes":{"version":2,"name":"potential_cryptominer","description":"A + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182722064,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182722064,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ez9-ozl-3lz","attributes":{"version":2,"name":"potential_cryptominer","description":"A process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] - && process.file.name != \"\"","category":"Network Activity","creationDate":0,"updateDate":1658502077556,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tef-sab-thr","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001153179,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001158687,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wup-o5b-tjo","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001152681,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001152681,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"c3v-vla-rev","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001148856,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001148856,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yel-nbl-2pj","attributes":{"version":1,"name":"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1654691372829,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1654691372829,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI + && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1658502077556,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tef-sab-thr","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001153179,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001158687,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wup-o5b-tjo","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001152681,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001152681,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"c3v-vla-rev","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001148856,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001148856,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yel-nbl-2pj","attributes":{"version":1,"name":"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1654691372829,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1654691372829,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"rp0-hmk-9c1","attributes":{"version":1,"name":"ip_check_domain","description":"A DNS lookup was done for a IP check service","expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network - Activity","creationDate":0,"updateDate":1654020337230,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"q7y-2ci-hkh","attributes":{"version":1,"name":"paste_site","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1654020337230,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"q7y-2ci-hkh","attributes":{"version":1,"name":"paste_site","description":"A DNS lookup was done for a pastebin-like site","expression":"dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] && - process.file.name != \"\"","category":"Network Activity","creationDate":0,"updateDate":1654020335889,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ntj-rfs-mw3","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1652008845797,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1652008845797,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dyn-u7u-v86","attributes":{"version":2,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997888388,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997888544,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mlg-yxw-uig","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997887223,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997887223,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lq3-t6t-xng","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997886363,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997886363,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"1hp-hpr-4ez","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997885869,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997885869,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mt3-pks-n5s","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884985,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884985,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"r4a-yvz-rj7","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884150,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884150,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5k1-gwi-0aq","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651943472022,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651943472022,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lkj-jnq-r6s","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651915815493,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651915815493,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mbc-iwk-zpb","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651912470539,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651912470539,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fzb-lli-m26","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651867150336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651867150336,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9mk-xxe-lpw","attributes":{"version":2,"name":"suspicious_container_client","description":"A + process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1654020335889,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ntj-rfs-mw3","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1652008845797,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1652008845797,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dyn-u7u-v86","attributes":{"version":2,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997888388,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997888544,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mlg-yxw-uig","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997887223,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997887223,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lq3-t6t-xng","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997886363,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997886363,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"1hp-hpr-4ez","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997885869,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997885869,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mt3-pks-n5s","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884985,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884985,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"r4a-yvz-rj7","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","description":"Test + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884150,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884150,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5k1-gwi-0aq","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651943472022,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651943472022,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lkj-jnq-r6s","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651915815493,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651915815493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mbc-iwk-zpb","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651912470539,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651912470539,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fzb-lli-m26","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651867150336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651867150336,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9mk-xxe-lpw","attributes":{"version":2,"name":"suspicious_container_client","description":"A container management utility was executed in a container","expression":"exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process - Activity","creationDate":1617722068555,"updateDate":1651671394200,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ieg-lmk-cgo","attributes":{"version":2,"name":"kernel_module_load_container","description":"A + Activity","defaultRule":true,"enabled":true,"creationDate":1617722068555,"updateDate":1651671394200,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ieg-lmk-cgo","attributes":{"version":2,"name":"kernel_module_load_container","description":"A container loaded a new kernel module","expression":"load_module.name != \"\" - && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718705,"updateDate":1650371511241,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lzx-kkv-at3","attributes":{"version":1,"name":"ptrace_injection","description":"A + && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718705,"updateDate":1650371511241,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lzx-kkv-at3","attributes":{"version":1,"name":"ptrace_injection","description":"A process attempted to inject code into another process","expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","category":"Kernel Activity","creationDate":1650293718540,"updateDate":1650293789265,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"foo-pve-qbq","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A + == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718540,"updateDate":1650293789265,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"foo-pve-qbq","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory - == true && container.id !=\"\"","category":"Kernel Activity","creationDate":1650293718365,"updateDate":1650293788418,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"irg-o45-pxz","attributes":{"version":3,"name":"example_agent_rule","description":"An + == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718365,"updateDate":1650293788418,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"irg-o45-pxz","attributes":{"version":3,"name":"example_agent_rule","description":"An example agent rule generated in terraform","expression":"exec.file.name == - \"java\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1647036168203,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1647036377676,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rsy-7jg-hqm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","description":"an + \"java\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1647036168203,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1647036377676,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rsy-7jg-hqm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392938634,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392938634,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m39-rre-anw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392938634,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392938634,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m39-rre-anw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392919175,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392919175,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4wd-unc-xof","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392919175,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392919175,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4wd-unc-xof","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392899126,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392899126,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jhk-qpj-jlt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392899126,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392899126,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jhk-qpj-jlt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392475857,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392475857,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ruf-aic-d4j","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392475857,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392475857,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ruf-aic-d4j","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392453588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392453588,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jtf-zrn-0ph","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392453588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392453588,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jtf-zrn-0ph","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392434263,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392434263,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ijz-1cz-bms","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392434263,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392434263,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ijz-1cz-bms","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392042558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392042558,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"21m-gs8-p43","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392042558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392042558,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"21m-gs8-p43","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392021741,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392021741,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"in7-ydq-pbw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392021741,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392021741,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"in7-ydq-pbw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391998597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391998597,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"v8v-sem-rmg","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391998597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391998597,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"v8v-sem-rmg","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391745920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391745920,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kox-qtp-cbn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391745920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391745920,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kox-qtp-cbn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391725233,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391725233,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"thp-evn-3gr","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391725233,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391725233,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"thp-evn-3gr","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391702920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391702920,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hx6-v0z-9gk","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390450706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390450706,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n8j-9n3-urm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390427444,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390427444,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tkl-mjf-is5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390405807,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390405807,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"up2-fhh-bc8","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391702920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391702920,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hx6-v0z-9gk","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390450706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390450706,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n8j-9n3-urm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390427444,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390427444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tkl-mjf-is5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390405807,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390405807,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"up2-fhh-bc8","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390171673,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390171673,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vdu-0rd-lnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390171673,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390171673,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vdu-0rd-lnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390147278,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390147278,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dfb-wz2-0ka","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390147278,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390147278,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dfb-wz2-0ka","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390124588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390124588,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"7vz-wdj-vwc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390124588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390124588,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"7vz-wdj-vwc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389998703,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389998703,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qls-upn-1vc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389972825,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389972825,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rxo-lya-bqu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389998703,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389998703,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qls-upn-1vc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389972825,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389972825,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rxo-lya-bqu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389950224,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389950224,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dm3-ip4-rza","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389929035,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389929035,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rzs-ccq-4qm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389950224,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389950224,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dm3-ip4-rza","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389929035,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389929035,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rzs-ccq-4qm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389773436,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389773436,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wa9-zm8-8ds","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389773436,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389773436,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wa9-zm8-8ds","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389706550,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389706550,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"alm-sgy-vz3","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389706550,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389706550,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"alm-sgy-vz3","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389645597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389645597,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dls-vo9-rqx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389575084,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389575084,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fyz-u20-nvn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389645597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389645597,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dls-vo9-rqx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389575084,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389575084,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fyz-u20-nvn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389549031,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389549031,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nqv-0et-fcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389523942,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389523942,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7v-36z-wue","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389549031,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389549031,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nqv-0et-fcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389523942,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389523942,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7v-36z-wue","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389502800,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389502800,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"y2z-ffa-zys","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389479547,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389479547,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cym-1zi-nnd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389428402,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389428402,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ip9-wgt-q3k","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389502800,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389502800,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"y2z-ffa-zys","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389479547,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389479547,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cym-1zi-nnd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389428402,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389428402,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ip9-wgt-q3k","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389406698,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389406698,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"t9d-zbo-2nw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389381751,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389381751,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kaw-0h7-dji","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389406698,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389406698,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"t9d-zbo-2nw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389381751,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389381751,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kaw-0h7-dji","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389356453,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389356453,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m4i-otg-jnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389335243,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389335243,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"heh-lnh-xwm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389356453,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389356453,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m4i-otg-jnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389335243,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389335243,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"heh-lnh-xwm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389226802,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389226802,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cwa-5rh-qtd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389204108,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389204108,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"e5l-xtx-hmi","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389226802,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389226802,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cwa-5rh-qtd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389204108,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389204108,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"e5l-xtx-hmi","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389181761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389181761,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ebx-lyj-r3a","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389155207,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389155207,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xac-4if-49b","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389181761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389181761,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ebx-lyj-r3a","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389155207,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389155207,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xac-4if-49b","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389130549,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389130549,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dh6-bdu-8v0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389106392,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389106392,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hkd-6dr-ify","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389130549,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389130549,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dh6-bdu-8v0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389106392,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389106392,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hkd-6dr-ify","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388960762,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388960762,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"bsx-fod-0xj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388931383,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388931383,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"8jt-x9p-yoy","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388960762,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388960762,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"bsx-fod-0xj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388931383,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388931383,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"8jt-x9p-yoy","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388907818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388907818,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rhd-qao-dub","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388883010,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388883010,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"j0f-fhi-ab7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388907818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388907818,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rhd-qao-dub","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388883010,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388883010,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"j0f-fhi-ab7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388862340,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388862340,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvn-u2c-xm4","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388843151,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388843151,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ldn-agb-3fl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388862340,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388862340,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvn-u2c-xm4","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388843151,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388843151,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ldn-agb-3fl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388744863,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388744863,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cyr-g7t-to0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388719895,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388719895,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wnm-xkk-mat","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388744863,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388744863,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cyr-g7t-to0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388719895,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388719895,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wnm-xkk-mat","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388693095,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388693095,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"moo-kuq-zbt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388693095,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388693095,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"moo-kuq-zbt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388275282,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388275282,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wzs-moc-ji9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388250051,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388250051,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uw2-d3y-5h6","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388275282,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388275282,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wzs-moc-ji9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388250051,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388250051,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uw2-d3y-5h6","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388226579,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388226579,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fez-txs-qf9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388201323,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388201323,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fga-mna-xej","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388226579,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388226579,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fez-txs-qf9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388201323,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388201323,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fga-mna-xej","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388177724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388177724,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"iyn-7sl-swn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388157048,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388157048,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"p3w-qyi-pbo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388177724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388177724,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"iyn-7sl-swn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","description":"an + agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388157048,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388157048,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"p3w-qyi-pbo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388010676,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388010676,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yyt-sfa-fck","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388010676,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388010676,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yyt-sfa-fck","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387597089,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387597089,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5z7-fqq-siu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387597089,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387597089,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5z7-fqq-siu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387573023,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387573023,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ivz-amj-yl7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387573023,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387573023,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ivz-amj-yl7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387549793,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387549793,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lyv-3xn-qch","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387549793,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387549793,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lyv-3xn-qch","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387524178,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387524178,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fpt-c7o-ipx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387524178,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387524178,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fpt-c7o-ipx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387500298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387500298,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tap-fek-5kw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387500298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387500298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tap-fek-5kw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387480011,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387480011,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7b-x0z-cbe","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387480011,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387480011,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7b-x0z-cbe","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387165931,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387165931,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hhe-gcm-vjl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387165931,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387165931,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hhe-gcm-vjl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387141298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387141298,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nt9-5fe-de1","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387141298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387141298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nt9-5fe-de1","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387114912,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387114912,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pj0-bcy-euh","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387114912,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387114912,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pj0-bcy-euh","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387082695,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387082695,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rm5-px4-iua","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387082695,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387082695,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rm5-px4-iua","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387057879,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387057879,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cqz-7pc-ajz","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387057879,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387057879,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cqz-7pc-ajz","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387032689,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387032689,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hot-prj-df5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387032689,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387032689,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hot-prj-df5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386926682,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386926682,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"q7n-lvv-4au","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386926682,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386926682,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"q7n-lvv-4au","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386901939,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386901939,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"gly-5wu-uny","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386901939,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386901939,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"gly-5wu-uny","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386877222,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386877222,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"umz-fjl-7qq","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386877222,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386877222,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"umz-fjl-7qq","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386850558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386850558,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"spq-5f8-isw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386850558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386850558,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"spq-5f8-isw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386826170,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386826170,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dul-hdz-xmo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386826170,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386826170,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dul-hdz-xmo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386804704,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386804704,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n94-q2a-co9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386804704,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386804704,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n94-q2a-co9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386762229,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386762229,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"x1n-wra-hdt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386762229,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386762229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"x1n-wra-hdt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386735946,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386735946,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kgt-kcc-tnu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386735946,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386735946,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kgt-kcc-tnu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386713348,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386713348,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"znp-dul-gcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","description":"an + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386713348,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386713348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"znp-dul-gcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","description":"an agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386674573,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386674573,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ily-tsr-dtj","attributes":{"version":1,"name":"compiler_in_container","description":"Compiler + Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386674573,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386674573,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ily-tsr-dtj","attributes":{"version":1,"name":"compiler_in_container","description":"Compiler Executed in Container","expression":"(exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process - Activity","creationDate":1627392836759,"updateDate":1636729662344,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jl5-wjt-58e","attributes":{"version":1,"name":"aws_metadata_service","description":"EC2 + Activity","defaultRule":true,"enabled":true,"creationDate":1627392836759,"updateDate":1636729662344,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jl5-wjt-58e","attributes":{"version":1,"name":"aws_metadata_service","description":"EC2 Instance Metadata Service Accessed via Network Utility","expression":"exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in [~\"*169.254.169.254*\"]","category":"Process - Activity","creationDate":1627392836096,"updateDate":1629226276630,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ol-dkr-aml","attributes":{"version":3,"name":"nsswitch_conf_mod_link","description":"Nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":1627392836096,"updateDate":1629226276630,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ol-dkr-aml","attributes":{"version":3,"name":"nsswitch_conf_mod_link","description":"Nsswitch Configuration Modified","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdf-wvb-c3k","attributes":{"version":3,"name":"nsswitch_conf_mod_open","description":"Nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdf-wvb-c3k","attributes":{"version":3,"name":"nsswitch_conf_mod_open","description":"Nsswitch Configuration Modified","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pkn-azw-qia","attributes":{"version":3,"name":"nsswitch_conf_mod_rename","description":"Nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pkn-azw-qia","attributes":{"version":3,"name":"nsswitch_conf_mod_rename","description":"Nsswitch Configuration Modified","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpt-ba8-mpd","attributes":{"version":3,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch + Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpt-ba8-mpd","attributes":{"version":3,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch Configuration Modified","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ud-d2o-qgo","attributes":{"version":3,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch + ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ud-d2o-qgo","attributes":{"version":3,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch Configuration Modified","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"za8-uxc-jxk","attributes":{"version":3,"name":"ssh_authorized_keys_link","description":"SSH + ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"za8-uxc-jxk","attributes":{"version":3,"name":"ssh_authorized_keys_link","description":"SSH Authorized Keys Modified","expression":"(\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nej-iw4-adk","attributes":{"version":3,"name":"ssh_authorized_keys_open","description":"SSH + in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nej-iw4-adk","attributes":{"version":3,"name":"ssh_authorized_keys_open","description":"SSH Authorized Keys Modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ - ~\"*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tiz-yss-zhq","attributes":{"version":3,"name":"ssh_authorized_keys_rename","description":"SSH + ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tiz-yss-zhq","attributes":{"version":3,"name":"ssh_authorized_keys_rename","description":"SSH Authorized Keys Modified","expression":"(\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"apr-zj4-ee1","attributes":{"version":3,"name":"ssh_authorized_keys_unlink","description":"SSH + in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"apr-zj4-ee1","attributes":{"version":3,"name":"ssh_authorized_keys_unlink","description":"SSH Authorized Keys Modified","expression":"(\n unlink.file.name == \"authorized_keys\" - && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhq-etl-wr6","attributes":{"version":3,"name":"ssh_authorized_keys_utimes","description":"SSH + && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhq-etl-wr6","attributes":{"version":3,"name":"ssh_authorized_keys_utimes","description":"SSH Authorized Keys Modified","expression":"(\n utimes.file.name == \"authorized_keys\" - && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m8i-uhr-aoq","attributes":{"version":3,"name":"pam_modification_link","description":"PAM + && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m8i-uhr-aoq","attributes":{"version":3,"name":"pam_modification_link","description":"PAM Configuration Files Modification","expression":"(\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"adl-qjr-lyg","attributes":{"version":3,"name":"pam_modification_open","description":"PAM + in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"adl-qjr-lyg","attributes":{"version":3,"name":"pam_modification_open","description":"PAM Configuration Files Modification","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File - Activity","creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2fy-aqt-8mz","attributes":{"version":3,"name":"pam_modification_rename","description":"PAM + Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2fy-aqt-8mz","attributes":{"version":3,"name":"pam_modification_rename","description":"PAM Configuration Files Modification","expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ei7-n5e-rvv","attributes":{"version":3,"name":"pam_modification_unlink","description":"PAM + in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ei7-n5e-rvv","attributes":{"version":3,"name":"pam_modification_unlink","description":"PAM Configuration Files Modification","expression":"(\n (unlink.file.path in - [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":true,"creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} + [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} ' headers: @@ -1406,18 +1375,4 @@ interactions: status: code: 200 message: OK -- request: - body: null - headers: - accept: - - '*/*' - method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/sk6-sni-wfh - response: - body: - string: '' - headers: {} - status: - code: 204 - message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.frozen new file mode 100644 index 0000000000..8fe4f3f193 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:30:58.530Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.yaml new file mode 100644 index 0000000000..63dc55766e --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_policies_returns_ok_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":[{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":1,"enabled":false,"hostTags":[],"monitoringRulesCount":418,"name":"Datadog + Managed Policy","policyVersion":"53221","priority":1000000000,"ruleCount":419,"updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog + Managed Policy","policyVersion":"1.40.0-rc76","priority":0,"ruleCount":226,"updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}}]}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen index 5490c515f8..7ee9fb8020 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:49.136Z \ No newline at end of file +2025-04-01T14:30:58.771Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml index 7cd7bb9089..d018c128de 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_all_csm_threats_agent_rules_returns_ok_response.yaml @@ -10,42 +10,620 @@ interactions: body: string: '{"data":[{"id":"50t-g20-n4o","type":"agent_rule","attributes":{"category":"File Activity","creationDate":1710772096000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"","enabled":true,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process + == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4mc-0xr-vlw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714264624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714264624","updateDate":1714264624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zu3-7yi-3w0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714696626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714696624","updateDate":1714696626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg2-lum-j2a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714783024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714783024","updateDate":1714783024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rsm-fam-pfp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714869424","updateDate":1714869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ulx-voj-zk3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nio-59w-ip8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714927026000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714927026","updateDate":1714927026000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5zt-j5u-aqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715287024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715287024","updateDate":1715287024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k8w-brg-51l","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715445426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715445424","updateDate":1715445426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"eue-gqs-59v","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715503024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715503024","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9wz-mgt-zkp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715546226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715546226","updateDate":1715546226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fii-ysi-7bu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715618226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715618224","updateDate":1715618226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hhl-9nk-8ls","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715819826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715819824","updateDate":1715819826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rc4-b53-3sj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715863024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715863024","updateDate":1715863024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w3d-qp8-3yb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716309424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716309424","updateDate":1716309424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"cvn-qsw-ibn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716410225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716410224","updateDate":1716410225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vyd-2vb-tnk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1738469890000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1738469890","updateDate":1738469890000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ulc-hn1-cz5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725295024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023","updateDate":1725295024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"jbe-827-tq7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732768624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624","updateDate":1732768624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ezw-7rm-wca","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735634224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224","updateDate":1735634224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"p4n-ijm-zeu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714155721000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714155721","updateDate":1714155721000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"piq-bha-m6t","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714279024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714279024","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rno-53m-mf3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714538225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714538225","updateDate":1714538225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bwj-n0m-ut5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714653425000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714653424","updateDate":1714653425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hk2-qrd-3jt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714667824","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zdz-ued-luw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714797424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714797424","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tf1-bgq-7bb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"35e-29w-qhu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715128624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715128624","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"iyj-haq-dvu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715373426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715373425","updateDate":1715373426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rgf-wo7-4fj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715402226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715402224","updateDate":1715402226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"stq-uwx-efd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715531824","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"i0b-hk0-7h3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715560625000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715560625","updateDate":1715560625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0zl-ilo-guv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716050224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716050224","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e7g-3t1-hpu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716352624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716352624","updateDate":1716352624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qoe-y42-hqp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716554224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716554224","updateDate":1716554224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sic-1px-69u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717418225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1717418224","updateDate":1717418225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3kk-4rm-qug","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1718426224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1718426224","updateDate":1718426224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b79-xcg-63p","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719059824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719059824","updateDate":1719059824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"veg-qf4-lgr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719967025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719967024","updateDate":1719967025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ukn-yjf-h6a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719981424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719981423","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ssm-zlm-vqh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720312626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1720312624","updateDate":1720312626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qba-1qm-uj5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721075824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721075824","updateDate":1721075824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uhw-kuq-ute","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721119025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721119024","updateDate":1721119025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ftd-d3e-byt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721666224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721666224","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9n1-l1g-u4k","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721853424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721853423","updateDate":1721853424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4qm-ikt-fpr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721954224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721954223","updateDate":1721954224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d7t-4i4-tex","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1722659826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1722659824","updateDate":1722659826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mda-uab-xow","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723178226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1723178224","updateDate":1723178226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3cv-rwp-2t7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724215024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724215024","updateDate":1724215024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vvb-sfk-jn1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724647024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724647024","updateDate":1724647024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"li0-j5t-0hv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724848624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724848624","updateDate":1724848624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hlp-8dr-0i3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725467825000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725467823","updateDate":1725467825000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xw4-uw8-mmx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725885424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725885424","updateDate":1725885424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3gw-vkx-b7s","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728419826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1728419824","updateDate":1728419826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xxc-35o-apy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1729427824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729427824","updateDate":1729427824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3hj-2t8-ydm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1729787824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729787824","updateDate":1729787824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zt8-od0-yxu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730205424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730205423","updateDate":1730205424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"svl-2s4-jd4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730450224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730450223","updateDate":1730450224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ycc-lv0-6oj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730939824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730939824","updateDate":1730939824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d2g-d0v-w1l","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732019824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732019824","updateDate":1732019824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7s9-sfq-2km","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732552624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732552624","updateDate":1732552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tb2-3ij-eep","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732667824","updateDate":1732667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sfj-gky-roy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732869424","updateDate":1732869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sz5-kvy-3kd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732927024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732927024","updateDate":1732927024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"2vn-l1s-b0y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733013424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733013424","updateDate":1733013424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nco-423-hiu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733531824","updateDate":1733531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l57-d8u-edg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733546224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733546224","updateDate":1733546224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4sz-cc7-ukd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733560627000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733560624","updateDate":1733560627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o9g-ptk-2zv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733575024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733575024","updateDate":1733575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg0-u09-xir","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733603824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733603824","updateDate":1733603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fog-8k1-fzi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733704624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733704624","updateDate":1733704624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wzz-ni8-56v","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733963824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733963824","updateDate":1733963824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mdn-0hh-uw1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734050226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734050223","updateDate":1734050226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3ox-06e-x4c","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734093424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734093423","updateDate":1734093424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"uyv-a9k-8l7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734395826000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734395824","updateDate":1734395826000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"5b4-k0v-rzw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734424624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734424623","updateDate":1734424624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w60-a8d-qrd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734439024000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734439023","updateDate":1734439024000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zsr-y94-6u2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734482226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734482224","updateDate":1734482226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0t6-uce-ee0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734899824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734899824","updateDate":1734899824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"fiw-wuv-ueg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734914224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734914224","updateDate":1734914224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n8l-rby-b42","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735072624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735072624","updateDate":1735072624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"v14-hvg-0fd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735216626000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735216624","updateDate":1735216626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"shf-bur-1id","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735288624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735288624","updateDate":1735288624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"18r-273-a6u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735547824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735547824","updateDate":1735547824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ys-tf8-u32","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735562224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735562224","updateDate":1735562224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ej-lz6-3iy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735648624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735648624","updateDate":1735648624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"981-x7o-izo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735749424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735749424","updateDate":1735749424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"897-56j-4uj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735907824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735907823","updateDate":1735907824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"f5p-men-xz3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735994224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735994224","updateDate":1735994224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wt2-84b-uy6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737433133000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1737433133","updateDate":1737433133000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"269-p6y-i3p","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742473183000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1742473182","updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"vxv-90c-vm4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714279023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rta-b8v-4uf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714322223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222","updateDate":1714322224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qo2-qin-6hg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714351023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022","updateDate":1714351024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"aoo-snu-t5u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714423023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023","updateDate":1714423024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vsk-ewy-s83","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823","updateDate":1714451824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o4r-6tp-yk0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714466223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223","updateDate":1714466224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"710-xzg-ays","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714480623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623","updateDate":1714480624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tjr-ib4-gya","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714509423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423","updateDate":1714509424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yep-euy-ttp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714552623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623","updateDate":1714552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ps4-63s-bzc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714567023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023","updateDate":1714567024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kax-qcg-qu0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714581423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423","updateDate":1714581424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"245-ynt-xcy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223","updateDate":1714610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1m6-dg0-lq9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714624623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623","updateDate":1714624624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xf-404-qez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714667823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e6l-qo1-y2e","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714682223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223","updateDate":1714682224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k95-kl4-jxt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714696623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623","updateDate":1714696627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"es7-rhv-nra","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"syl-o29-0dq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714826223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223","updateDate":1714826223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7sd-d1r-ts5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714840623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622","updateDate":1714840624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"97d-p9d-x1d","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714941423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422","updateDate":1714941424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mgl-xtg-ctl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715027823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822","updateDate":1715027824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a9f-o95-atg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rjm-biu-bqq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622","updateDate":1715272624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nor-y5a-3sn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715373423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422","updateDate":1715373424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4fo-giq-5f8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715416623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622","updateDate":1715416624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"c79-8dg-klx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715445423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422","updateDate":1715445424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f4p-2wj-hrf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715459823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822","updateDate":1715459824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bou-hvm-24h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715474223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222","updateDate":1715474224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lf1-s8g-yf7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715503023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"krx-co0-pz2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715531823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uqg-z0t-83n","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715575023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022","updateDate":1715575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kid-vkk-fj9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715603823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822","updateDate":1715603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"h4n-yuq-2mp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715632623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622","updateDate":1715632624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ocv-we5-g5y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422","updateDate":1715661423000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mzh-gda-c24","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715762223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222","updateDate":1715762224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mtg-s1f-xy5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716050223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6ak-6po-dd6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716640623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622","updateDate":1716640624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5rb-4q9-p5g","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716813423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422","updateDate":1716813424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b7w-xgg-ocq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717130223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222","updateDate":1717130226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1l2-7qh-mfa","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717432623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622","updateDate":1717432626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m77-qgu-c48","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717677423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422","updateDate":1717677424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f2b-qds-3f4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1718815023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022","updateDate":1718815024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xh4-cv2-cfa","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719031023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022","updateDate":1719031024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fxe-inc-9zj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719938223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222","updateDate":1719938225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"pb3-26n-452","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719981423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hgr-nny-7zr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720471023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022","updateDate":1720471024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wvg-hbj-6o2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720600623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622","updateDate":1720600624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9ji-2p2-v00","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721248623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623","updateDate":1721248625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"dou-40j-cpw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721378223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223","updateDate":1721378224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qd9-39s-51s","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721666223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"g9j-hhf-7at","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1722703023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023","updateDate":1722703024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybg-c9d-29b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723034223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223","updateDate":1723034224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsg-toh-i57","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223","updateDate":1723610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tiy-95c-mkc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423","updateDate":1723797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7rw-grx-l7u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1726331823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822","updateDate":1726331823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k1r-tva-i6e","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1727829423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422","updateDate":1727829425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4bk-eaa-j5w","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728664623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622","updateDate":1728664623000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qk2-gkn-517","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730162223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223","updateDate":1730162225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybl-tp8-aab","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730263023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022","updateDate":1730263025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xd-vam-hd2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730479023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022","updateDate":1730479024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ro3-z56-52j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732221423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423","updateDate":1732221424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ay-9ve-3i3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822","updateDate":1732451823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a66-2qy-xwe","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622","updateDate":1733128625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9of-ebc-ypn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733143023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022","updateDate":1733143023000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b68-yq9-x3q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733200623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622","updateDate":1733200625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ev9-rxn-om1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622","updateDate":1733272626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"gds-0mc-sle","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733330223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222","updateDate":1733330225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rwf-5af-jaw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733618223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222","updateDate":1733618223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"z2v-n54-g9a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422","updateDate":1733661424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vma-z5w-bi9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734179823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822","updateDate":1734179825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ya9-48i-611","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734496623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623","updateDate":1734496625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"l9m-5ce-g9i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734525423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422","updateDate":1734525423000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kbx-ylg-k86","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734597423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422","updateDate":1734597424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rec-v3q-e1c","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734770223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223","updateDate":1734770227000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tr5-g9p-4jx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734799023000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023","updateDate":1734799025000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tps-9zv-vpp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734899823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823","updateDate":1734899825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0rc-s4t-d0f","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735562223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223","updateDate":1735562225000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ekr-3xj-8yj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735619823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823","updateDate":1735619825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"p6o-t98-nm1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735691823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823","updateDate":1735691824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"nue-wxi-y3i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735720623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623","updateDate":1735720626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w95-d3h-c3r","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735864623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622","updateDate":1735864625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6w8-3xn-j4c","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736066223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222","updateDate":1736066224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hcr-3py-6it","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736807340000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340","updateDate":1736807342000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"00d-kfn-fwm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740025013000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013","updateDate":1740025019000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ceu-3h6-qug","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740269813000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813","updateDate":1740269814000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1711550899000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"name":"my_agent_rule","updateDate":1711550899000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v9x-9ib-tr7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737288363000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"im + a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"name":"qljifimbbh","updateDate":1737288363000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ast-isd-tty","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715645381000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1715645381","updateDate":1715645381000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9l7-am7-hy6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736986169000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1736986169","updateDate":1736986169000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tw0-y2e-9wf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1738627773000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1738627773","updateDate":1738627773000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"cdy-cvp-oqz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728617680000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679","updateDate":1728617680000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tth-j42-vc4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732591470000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469","updateDate":1732591470000,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lhe-ksz-xyj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1711595493000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"name":"testjavagetacsmthreatsagentrulereturnsokresponse1711595493","updateDate":1711595493000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"73h-yo0-427","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725240870000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869","updateDate":1725240870000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ohq-oxe-jb4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1726883002000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002","updateDate":1726883002000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"912-lu2-2sg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1731203077000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077","updateDate":1731203077000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5c8-aij-182","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720156180000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testrustgetacsmthreatsagentrulereturnsokresponse1720156180","updateDate":1720156180000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5jy-8qa-vwx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724216976000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976","updateDate":1724216976000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1710500975000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975","updateDate":1710500975000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pz7-rvb-ckm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734692969000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969","updateDate":1734692970000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ctc-pux-luh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737951387000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387","updateDate":1737951389000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v64-qmf-tal","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740543488000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488","updateDate":1740543488000,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name - !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os - == \"linux\""],"name":"auditctl_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"auditctl_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == - \"linux\""],"name":"auditd_config_modified","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + \"linux\""],"name":"auditd_config_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 - process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS CLI utility was executed","enabled":true,"expression":"exec.file.name + == \"aws\"","filters":["os == \"linux\""],"name":"aws_cli_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", @@ -53,62 +631,56 @@ interactions: \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os - == \"linux\""],"name":"aws_imds","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + == \"linux\""],"name":"aws_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os - == \"linux\""],"name":"azure_imds","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"azure_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The base64 command was used to decode information","enabled":true,"expression":"exec.file.name - == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Certutil + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os - == \"windows\""],"name":"certutil_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"windows\""],"name":"certutil_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os - == \"linux\""],"name":"chatroom_request","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"chatroom_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os - == \"linux\""],"name":"common_net_intrusion_util","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"common_net_intrusion_util","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path - in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 - (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm - in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n\u0026\u0026 process.file.name - not in [\"pip\", ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"compile_after_delivery","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - compiler was executed inside of a container","enabled":true,"expression":"(exec.file.name - in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 - exec.args in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" - \u0026\u0026 process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os - == \"linux\""],"name":"compiler_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Known + in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", + ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args + in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == + \"linux\""],"name":"compiler_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline - in [~\"*crackmapexec*\", ~\"*cme*\"]","filters":["os == \"windows\""],"name":"crackmap_exec_executed","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == + \"windows\""],"name":"crackmap_exec_executed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -117,11 +689,10 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"credential_modified_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -130,11 +701,11 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"credential_modified_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"credential_modified_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path @@ -144,10 +715,9 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path @@ -157,10 +727,10 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at + \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path @@ -170,10 +740,9 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -182,10 +751,9 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sensitive + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -194,229 +762,229 @@ interactions: \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"credential_modified_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"regedit + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit used to export critical registry hive","enabled":true,"expression":"exec.file.name in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os - == \"windows\""],"name":"critical_registry_export","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + == \"windows\""],"name":"critical_registry_export","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + critical windows file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"name":"critical_windows_files_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_flags - in [\"cpu-priority\", \"donate-level\", ~\"randomx-1gb-pages\"] || exec.args - in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", - ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os - == \"linux\""],"name":"cryptominer_args","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options + in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" + || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", + ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", + ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os - == \"linux\""],"name":"cryptominer_envs","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"cryptominer_envs","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + process spawned from print server","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os + == \"linux\""],"name":"cups_spawned_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"curl_docker_socket","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"curl_docker_socket","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" - \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + debugfs was executed in a container","enabled":true,"expression":"exec.comm + == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"debugfs_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process deleted common system log files","enabled":true,"expression":"unlink.file.path in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A privileged container was created","enabled":true,"expression":"exec.file.name != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted - \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path + == \"/dev/shm/**\"","filters":["os == \"linux\""],"name":"devshm_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Potential + process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Dotnet_dump + process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump was used to dump a process memory","enabled":true,"expression":"exec.cmdline =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os - == \"windows\""],"name":"dotnet_dump_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"windows\""],"name":"dotnet_dump_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] - \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the lsmod command","enabled":true,"expression":"exec.comm - == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os - == \"linux\""],"name":"exec_whoami","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"exec_whoami","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os - == \"linux\""],"name":"exec_wrmsr","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"exec_wrmsr","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os - == \"linux\""],"name":"executable_bit_added","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + == \"linux\""],"name":"executable_bit_added","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + rclone utility was executed","enabled":true,"expression":"exec.file.name in + [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os + == \"linux\""],"name":"file_sync_exfil","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for sensitive files","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os + == \"linux\""],"name":"find_credentials","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os - == \"linux\""],"name":"gcp_imds","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"gcp_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"An + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDSv1 request was issued","enabled":false,"expression":"imds.cloud_provider + == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name + not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os - == \"linux\""],"name":"interactive_shell_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + == \"linux\""],"name":"interactive_shell_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", - ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"name":"inveigh_tool_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"name":"inveigh_tool_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os - == \"linux\""],"name":"ip_check_domain","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Egress + == \"linux\""],"name":"ip_check_domain","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress traffic allowed using iptables","enabled":true,"expression":"exec.comm == - \"iptables\" \u0026\u0026 process.args in [r\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"name":"iptables_egress_allowed","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"iptables_egress_allowed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port + == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"name":"irc_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n\u0026\u0026 - process.parent.file.name == \"java\"","filters":["os == \"linux\""],"name":"java_shell_execution_parent","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 + process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == + \"linux\""],"name":"java_shell_execution_parent","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os - == \"linux\""],"name":"jupyter_shell_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"jupyter_shell_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not @@ -425,15 +993,15 @@ interactions: \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"] \u0026\u0026 process.file.path - not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", - \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", - \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", - \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", - \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", - \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", - \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", - \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", + \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", + \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", + \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", + \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", + \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", + \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", + \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", @@ -441,349 +1009,347 @@ interactions: \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"kernel_module_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"kernel_module_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A - kernel module was loaded","enabled":true,"expression":"load_module.name not - in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", - \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] - \u0026\u0026 process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory + == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", + \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", + \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 + process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os - == \"linux\""],"name":"kernel_module_load","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"kernel_module_load","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container loaded a new kernel module","enabled":true,"expression":"load_module.name - != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory - == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory - == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os - == \"linux\""],"name":"kernel_msr_write","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kernel + == \"linux\""],"name":"kernel_msr_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel modules were listed using the kmod command","enabled":true,"expression":"exec.comm - == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Kubernetes + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os + == \"windows\""],"name":"known_dll_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == - \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Library + \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\".*libpam.so.*\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Looney + \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == - \"linux\""],"name":"looney_tunables_exploit","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"memfd + \"linux\""],"name":"looney_tunables_exploit","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" - \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline - =~ \"*MiniDump*\"","filters":["os == \"windows\""],"name":"minidump_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os + == \"windows\""],"name":"minidump_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name - in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", - ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] - \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 + process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + modified file requested credentials from IMDS","enabled":true,"expression":"imds.url + =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time + \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os + == \"linux\""],"name":"modified_file_requesting_imds_creds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The host file system was mounted in a container","enabled":true,"expression":"mount.source.path == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + mount utility was executed in a container","enabled":true,"expression":"exec.comm + == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process hidden using mount","enabled":true,"expression":"mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os - == \"linux\""],"name":"mount_proc_hide","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"mount_proc_hide","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious file was written by a network utility","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os - == \"linux\""],"name":"net_file_download","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Network + == \"linux\""],"name":"net_file_download","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network utility executed with suspicious URI","enabled":true,"expression":"exec.comm in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", - ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" - ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Exfiltration + ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] \u0026\u0026 \nexec.args_options in [ ~\"post-file=*\", + \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args - not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A network utility was executed in a container","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Local + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name + in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] + \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 + exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os + == \"linux\""],"name":"netcat_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container executed a new binary not found in the container image","enabled":true,"expression":"container.id != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time - \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter + used to breakout of container","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id != \"\"","filters":["os == \"linux\""],"name":"nsenter_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"nsswitch + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"NTDS + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline - =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"name":"offensive_k8s_tool","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Omiagent + == \"linux\""],"name":"offensive_k8s_tool","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os - == \"linux\""],"name":"omigod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"omigod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 - O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Package + O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl + used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" + \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"name":"openssl_backdoor","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path + == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"overwrite_entrypoint","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family + \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == + true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port + \u003c= 60150","filters":["os == \"linux\""],"name":"p2pinfect_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"package_management_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"package_management_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"name":"pam_modification_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + == \"linux\""],"name":"pam_modification_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"PAM + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os == \"linux\""],"name":"pam_modification_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"pam_modification_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags - not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] \u0026\u0026 - process.file.name != \"\"","filters":["os == \"linux\""],"name":"paste_site","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"name":"paste_site","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path @@ -791,36 +1357,36 @@ interactions: ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path @@ -828,455 +1394,439 @@ interactions: ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Critical + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible perl bind shell detected","enabled":true,"expression":"exec.file.name + == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 ((exec.args + in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", + ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","filters":["os + == \"linux\""],"name":"perl_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name + == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args + in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", + ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"name":"php_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP + web application spawning shell","enabled":true,"expression":"exec.file.name + in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in + [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"name":"php_spawning_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was executed matching arguments for a UAC bypass technique common in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os - == \"windows\""],"name":"powershell_empire_uac_bypass","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"windows\""],"name":"powershell_empire_uac_bypass","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-oyv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Processes - were listed using the ps command","enabled":true,"expression":"exec.comm == - \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name - not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name - not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", - \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", - \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os - == \"linux\""],"name":"ps_discovery","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"name":"ptrace_antidebug","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"linux\""],"name":"ptrace_antidebug","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 - exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Python + exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python code was provided on the command line","enabled":true,"expression":"exec.file.name == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os - == \"linux\""],"name":"python_cli_code","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Possible + == \"linux\""],"name":"python_cli_code","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible ransomware note created under common user directories","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 - open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] - \u0026\u0026 open.file.name not in [r\".*\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"RC + open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] + \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"rc_scripts_modified","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"rc_scripts_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The kubeconfig file was accessed","enabled":true,"expression":"open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == - \"linux\""],"name":"read_kubeconfig","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-rhk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"OS - information was read from the /etc/lsb-release file","enabled":true,"expression":"open.file.path - == \"/etc/lsb-release\" \u0026\u0026 open.flags \u0026 O_RDONLY \u003e 0","filters":["os - == \"linux\""],"name":"read_release_info","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Detects + \"linux\""],"name":"read_kubeconfig","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Redis + \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in - [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + registry hives file location key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os + == \"windows\""],"name":"registry_hives_file_path_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path - in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]","filters":["os - == \"windows\""],"name":"registry_runkey_modified","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Service + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os + == \"windows\""],"name":"registry_runkey_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service registry runkey modified","enabled":true,"expression":"set.registry.key_path - in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\"]","filters":["os - == \"windows\""],"name":"registry_service_runkey_modified","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Process + in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os + == \"windows\""],"name":"registry_service_runkey_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process matches known relay attack tool","enabled":true,"expression":"exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os - == \"windows\""],"name":"relay_attack_tool_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"process + == \"windows\""],"name":"relay_attack_tool_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container + escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name + == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", + \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0","filters":["os == \"linux\""],"name":"release_agent_escape","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os - == \"windows\""],"name":"rubeus_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The - container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.file.path - == \"/sys/fs/cgroup\" \u0026\u0026 chdir.file.filesystem in [\"cgroup\", \"cgroup2\"] - \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"name":"runc_leaky_fd","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"windows\""],"name":"rubeus_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path + =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" + \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"name":"runc_leaky_fd","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n\u0026\u0026 + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"runc_modification","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Safeboot - registry modified","enabled":true,"expression":"set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"","filters":["os - == \"windows\""],"name":"safeboot_modification","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"runc_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot + registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os + == \"windows\""],"name":"safeboot_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] - \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SELinux + \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os - == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os - == \"linux\""],"name":"sensitive_tracing","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"systemctl + == \"linux\""],"name":"sensitive_tracing","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" - \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"sharpup + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup tool used for local privilege escalation","enabled":true,"expression":"exec.file.name == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", - ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"name":"sharpup_tool_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") - \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os - == \"linux\""],"name":"shell_history_deleted","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"name":"sharpup_tool_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", + \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", + \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"name":"shell_history_deleted","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os - == \"linux\""],"name":"shell_history_symlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + == \"linux\""],"name":"shell_history_symlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.name =~ r\".([dbazfi]*sh)(_history)$\" \u0026\u0026 + \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", + \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name - == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Shell + == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell made an outbound network connection","enabled":true,"expression":"connect.addr.family + \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"name":"shell_net_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) - \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"process + \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os - == \"windows\""],"name":"sliver_c2_implant_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + == \"windows\""],"name":"sliver_c2_implant_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name + == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os + == \"linux\""],"name":"socat_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n link.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", - ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSH + == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The configuration directory for an ssh worm","enabled":true,"expression":"open.file.path in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port + in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os + == \"linux\""],"name":"ssh_nonstandard_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to an SSH server","enabled":true,"expression":"connect.addr.port + == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 + \u0026\u0026 connect.addr.ip not in [127.0.0.0/8]","filters":["os == \"linux\""],"name":"ssh_outbound_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.mode != chmod.file.destination.mode\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != + chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name - !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 - process.file.name !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os - == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == + \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"SSL + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - == \"/etc/sudoers\") \n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode + == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"\n(open.flags + == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Sudoers + == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"a + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path - != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", - ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A container management utility was executed in a container","enabled":true,"expression":"exec.file.name in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"suspicious_container_client","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Dll + == \"linux\""],"name":"suspicious_container_client","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll written to a suspicious directory","enabled":true,"expression":"create.file.name - =~ \"*.dll\" \u0026\u0026 create.file.path !~ \"C:\\\\Windows\\\\System32\\\\*\"","filters":["os - == \"windows\""],"name":"suspicious_dll_write","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Suspicious + =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", + ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name + != \"dockerd.exe\"","filters":["os == \"windows\""],"name":"suspicious_dll_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os - == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Recently + == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path @@ -1285,119 +1835,169 @@ interactions: \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"systemd_modification_chmod","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"systemd_modification_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_link","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_open","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_rename","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_unlink","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_utimes","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tar + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" - \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id - != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Tunneling + != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling or port forwarding tool used","enabled":true,"expression":"((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args - in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) || (exec.comm in [\"iodine\", \"iodined\", + in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == - \"linux\""],"name":"tunnel_traffic","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + \"linux\""],"name":"tunnel_traffic","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device + rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", + ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", + ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os + == \"linux\""],"name":"udev_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + unshare utility was executed in a container","enabled":true,"expression":"exec.comm + == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"unshare_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was created via an interactive session","enabled":true,"expression":"exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags - not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A user was deleted via an interactive session","enabled":true,"expression":"exec.file.name in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"user_deleted_tty","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"user_deleted_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web + application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 + == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" + \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name + == \"java\")","filters":["os == \"linux\""],"name":"webapp_imds_V1_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser + WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name + in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in + [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os + == \"linux\""],"name":"webdriver_spawned_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + boot registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os + == \"windows\""],"name":"windows_boot_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os + == \"windows\""],"name":"windows_com_rpc_debugging_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType + 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"name":"windows_cryptographic_blocking_policy_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline - in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", - ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", - ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os - == \"windows\""],"name":"windows_cryptominer_process","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713377577000,"creator":{"name":"Detection Engineer","handle":""},"defaultRule":true,"description":"Command + in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", + ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", + ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == + \"windows\""],"name":"windows_cryptominer_process","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows + explorer file has been modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"name":"windows_explorer_executable_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os + == \"windows\""],"name":"windows_firewall_configuration_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the + windows hosts file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os + == \"windows\""],"name":"windows_hosts_file_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft + security essentials executable modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os + == \"windows\""],"name":"windows_security_essentials_executable_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + shell folders registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell + Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User + Shell Folders*\"]","filters":["os == \"windows\""],"name":"windows_shell_folders_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + environment variable registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os + == \"windows\""],"name":"windows_system_enviroment_variable_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + update registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os + == \"windows\""],"name":"windows_update_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + winlogon registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os + == \"windows\""],"name":"winlogon_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os - == \"windows\""],"name":"wmi_spawning_shell","updateDate":1713377577000,"updater":{"name":"Detection - Engineer","handle":""}}}]}' + == \"windows\""],"name":"wmi_spawning_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}}]}' headers: content-type: - application/json diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen index 795e3afea8..f0de7ad598 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:50.126Z \ No newline at end of file +2025-04-01T14:30:59.438Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml index 26ebd92d18..d4ef693d9c 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_cloud_workload_security_policy_returns_ok_response.yaml @@ -10,7 +10,7 @@ interactions: body: string: "# IMPORTANT: Edits to this file will not be reflected in the Datadog\ \ App and will be overwritten with new policy file downloads. Please modify\ - \ rules in the Datadog App for full functionality.\nversion: '1713895070226'\n\ + \ rules in the Datadog App for full functionality.\nversion: '1743517859524'\n\ rules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An\ \ AppArmor profile was modified in an interactive session\n expression: exec.file.name\ \ in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n \ @@ -276,70 +276,105 @@ interactions: \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id:\ \ dummy_rule\n version: 28ba1078\n description: Execution of a java process\n\ \ expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\ - \ []\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution\ + \ []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description:\ - \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version:\ + \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n\ + \ description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n\ + \ description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n\ + \ description: Execution of a java process\n expression: exec.file.name\ \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description:\ - \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version:\ + \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version:\ + \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description:\ \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ - \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ivMAv\n\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_xkrhu\n\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description:\ + \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ - \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n\ - \ version: 1924611e\n description: A process unlinked a dynamic linker config\ - \ file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ - , ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ - ]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n\ - \ version: 764fc516\n description: A process wrote to a dynamic linker config\ - \ file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ - , \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\"\ - , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n\ - \ ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ - ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ - , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n\ - \ filters: []\n- id: example_agent_rule\n version: 28ba1078\n description:\ - \ An example agent rule generated in terraform\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution\ + \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version:\ + \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java\ + \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ + \ filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n\ + \ description: A process unlinked a dynamic linker config file\n expression:\ + \ unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"\ + ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ + , ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version:\ + \ ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n\ + \ description: A process wrote to a dynamic linker config file\n expression:\ + \ open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"\ + ]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path\ + \ not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"\ + /usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path\ + \ not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ + , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ + , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ + , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n\ + \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ + ]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version:\ + \ 28ba1078\n description: An example agent rule generated in terraform\n\ + \ expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\ + \ []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n\ \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n\ \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n\ \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n\ + \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n\ + \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ + \ == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n\ \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n\ \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ @@ -347,14 +382,18 @@ interactions: \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n\ \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ - \ == \"sh\"\n agent_version: ''\n filters: []\n- id: exec_lsmod\n version:\ - \ 1a14c811\n description: Kernel modules were listed using the lsmod command\n\ - \ expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n\ - - id: exec_whoami\n version: 90ea91b6\n description: The whoami command\ - \ was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n\ - \ filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP\ - \ IMDS was called via a network utility\n expression: exec.comm in [\"wget\"\ - , \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ + \ == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n\ + \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ + \ == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n\ + \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ + \ == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n\ + \ version: 1a14c811\n description: Kernel modules were listed using the\ + \ lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n\ + \ filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The\ + \ whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version:\ + \ ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An\ + \ GCP IMDS was called via a network utility\n expression: exec.comm in [\"\ + wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ ]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version:\ \ 60fd84a9\n description: A hidden file was executed in a suspicious folder\n\ diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen index 6578c45898..9c2278bbc1 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:49.946Z \ No newline at end of file +2025-04-01T14:30:59.240Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml index a15ae68d2c..08ee4a7ce1 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_the_latest_csm_threats_policy_returns_ok_response.yaml @@ -8,7 +8,7 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download response: body: - string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXtz4zayOPr/fgqEdys/W2cojT2Pzcw9s3sdW9n4jMd2WZ7N2Yp9WRAJiYhIgAFAyZrjM5/9V3jxJVKiJb8mUaoyFpqNV6O78Wp0/z/g+NP52cXlwenle9APsOBAUCBCzMEIRwjMcBQBQgUYIsDQKEK+QAHABIgQgSMoYEDH4CBJACSBRh4iQKeIzRgWAhEwwyIEBM1AQiPsz3WpAZ2RiMKAd8F5hCBHIKYBHs0BSyPE64ofUQZGaRSBUUp8gSmBERbz7l+miHFMyXuw191/033pMv/Nm7+oUt7/BQAAXICD9wAmCWQxZZ6qBqPAE2KuvgMQIO4znAhVygGRtR1IXJAwqkkAObD5ZNMgAZgIxKAv8BQBjrhsgSlthCOBmKlcN4By8OEDcCJM0hvHwNFNwnS+9wDdIL8ra+oSGCNZw68OhG6AORxGyHkBZMqncRJBTEwSpgEWzjX4/nudXYi5p3J/98GxdZgCgvdgBCOOiuSQuX0ReSmHY1RHh8sQZVjAp3GshhdykHIUSA4x46Vwgnvru8S11TpZ5yAbc28UwTFXnKgIxCUhIue6XV8Dz6dkhMfZ+C/tcwA0dsqg/AIWuUAyNU0FSDkm44xQ65OBJohoMiRQhAq3h4TfUyXrf4OubJQiisZW9Pge7Jx5hxf9g8vbM+/y4vPp4e2Zd3B+3j89uj3zLo5+ubg98365ODs9+fcu+Dt4KbMnjPqI8wLZvyuSvS1FpZB5soy2RNWy/ejEVOxSoKZqRjfQqa5KSV6q0tt8uX4OBJ9xD024xxGbYh950PdpSoQn6AQRmUKcN1P/4JcB6H8cAJMbmNxA5VYjUSlhc5J/+Aqc3hSyHktJjyOfIcF7aMK7MIZfKIEz3vVp3DMtMg3qdToF7i6pBNVUZ4GUqq5MI/RoInqBnjJcOEZE9FA8REGAgt4Qk54CqZFegcjnXKDYTRgdolb4yE8ZFnO3dQ2mF+0zCAZ9tBQ962F9P3swiXuY/IZ8yd6Cevq3x1LiK9yUM1VGELgh5cLFhAsYRbXffEoExASxJqx6hPpGW4gfpVwgZjrZQq/PuIfjgDfN4r8MwPGno4FicB9GEQrAFEMAAUFiRtkEpALLJcT6TK/mJjk3av6bjZEiu58y1d9olrh2nVOYqeVkpjJ8dTp7b99199+87pq/vQgKxEUvRgK6ki49DOOcvXyGAkQEhhHvdZwXoFjA31529/968MvAOzw7vTw4Pu1fSCV11D+9PD44GXgX/ZODy+N/9b3PF8c1OXudXqHwf+DgQ6fNCHxJGVo6BhLh2xsFSX5NfUURMe9RmIpwv6fU0D9ggl2z6mxFpiHk6O1rL0A+DRrXWhqpdqWlMwJMRpTFakGyIbHKulXXXLvYUgQNWnTRR0zIgWxeTx4aDNUzWU8qdO8Eg4THWADKbE8hSKjQvBjNQQwj7GOa6pXDyq7PMAnojLfsvG14F90gRYKdHc1PcRBhgtRE1klZ5EM/RJ2cSKXvPImw6Di74Pa25qvuVMfZXU3FEApGaewx9HuKuKiVKnB0OgAGQS+jYIDU7ghmBYCAxhBvwCYB4V1VA6aksCkJMPcpkwvRWG1DEtwVKEJjBuMuZWMldgHpGjSYJAqzBfvQOKbEI0h4mAiWykZ4cljqKVBRHWCHxDDZNaVEcy04WG3SdFkACgH9CS8x3/rUqduvySbI/seQcx+qXdoowUTR5MuYwWH2Y1/+YikXFi8h6tf10u3OvySm0TrtKJrIlTkcCcS8AEV4ilj9htfiMjBjVEjp4ylPCiKntrwgm9LXp9utmyGXFtRmPS1XyxmCFMUsAcBO3QJTxEnDmtEo9u6Eqsmu23Gudwul3d7W7RG+6iWrKVXm6wVo2uNhnKUZpcImOmr1Yj7ItU9EfRj1IjyUGNdZdbulPtn1az5h/QanUC3B/Ahqfhn7vvPCGfq+cy2barNA4iMuKGuduVTz4h4k460EJ6oXyVyElBTb/v33+bh3caC2Lau3K5ahPEy8Kts08l5xWsCE4wABOrofvtupE9iVZK/mklWMqVO7ghimOAoMW7BUknB3t4Z4TmkLk49nzoeSwNlC2scRTmOzIF5NdQb9SQwTT7bOq2i5Etk/EjojgI5GiHA8RUBQGmXZVefaK8lV062dCg2hbC3ym6GXH6M2q6h8fZqf4flhTGt7OJA9U4dzeTalyziYIYbyowdz5AAIJS4XkASQBYoeKzveRssVNRgAO6q5FaVjzh14CAM6y44hxiYNSmprUY5LG2Dg9LhkmylOZtmGrAwxqTGrfi9AFOdZvg0ysNZuDR/VPo76k/oM1S+qzjGjaQKDCjTliNUCY1oDDFB55zlOIOezcrP8EI5ROasf1uAZELhuIniduFrSf83LgYnolOmSTMYlAEviUjolUAhEAhS4aTJmMEClz0ShF2pIcFKuYZ7G+ejCZJIPAR72OIFJoP8tTkpKO+X8GMi1HlGbi24s1+DffSh+jgs7lztKKJ2Rb0lC6ay6LNhK6FZCn0pCiwxZFNFUr8UKXyXk9hY04I8X8Mc4aLEhrZHoCJPJtyPQsrV3lOdSAbe3IC+iSNHWxW3Vw1Y9PIR6WEt45a7Xm+5/M/JbvncrXLyV7tnsRdyuvXAr64Carf5WaLdC+xRCWz4T8BmCAgUeFODv4N1LvpZIM0RgXHvk/iwleke3947yWJ2Ti4VsZ+WtgD8bAV9LhFPybS2qdXvvKMJbidtK3POROIFjVGu18EwlTrV3K3Fbifs2JA4L7MPIY2iMuWBzD90klNXaMzA0RgEWmbGLxsyKALYIEOLpfRp/qDtAhsbK8OMFcEw7VPJ6wczD3F6Fkyg2t1bhBM09xadeDP0QE2Q+aONBm4DZL2PE1e6qixIPCu83OvTUHgFT0nzXdUBASmAqQsrwFxSA3+hQG3UGgSapLA5wP0RBGmEyXknENfRT7c2WuU/nCaVRTzYiu0aXekoCup0FkIDDO6uuTH5EWXyz4nLeXfvaY0UrHlKK70OjNmuDtdmx4WLnebBjzTXOc2XHRznj37JvmX2bNlzPgXvrNlcbMG+p8Bb3GRtU9WBysuXiWi6mCXquOrjpxUztA5ky/9ed12+Z8pthyuYD6WfAlg3HzxuwV1W9rj6a3qCyLS8/Li83n8w+B16uP4fdste3w16Nx5DPgr1qDx237PU82WueCBrLSjzIxvU8ZWkDIpgSyTraNwNk4zRGRHAAOac+hsJ+KZTK1+ew2ldlfpK6CcOUYTGXFAgogQK5EZqqg9mvDoMkoPGNuzceugkcq5fY9n1V0fSeCwZFGv+H8BN71GYgnEdlyN4i0t4i1v4i1n4Bi2AfhZCHJjlHPKEzxO46SIhMawfp3AwRIlPMKJHjAqaQYVkkBzEUvh0WP2UMEX8OVIEbDo9sjh6Y87OzE+/zoH8hR0UnLk6y3+cHg4FMHJ2dHlz2vZP+v/onbXqessjT/O5x+af2LPgyROBIIQGNpFQeQyMkO2p8bwD/88WJfSe5Ya/z42D1FjBl9T4nFF1Sgm9c3ayGZ6S6f12J09Eolecfbd7OBFDAIeTI4yGKIvOMI3/yWRFoiw1gkkTY194qeAJnBAUAAlXGC/3HvpZ7ASgDP19enm/+8rY4deT0LN5PKTUHeei8KKj+ggZc/CTB9UABBfbdxrJqMw2b6675ZMGurqsh45fGIpsr8xu/TBq/iPpMER72MMGCwXjEXUFpxHXDUz4f0pu6LtV+sdWMcC0dJjx896oGzhYbbMG1+FE9ftwMXk59n4eQJTVZE9pISVYtTPFL82jN61njCw/fNIBtm4Gco3KMuz1NX8hZFiddmy+XQ+ZnOJaUsAl1zWkTdEayRIYTQIGy3xlyMMp+YWZ/Ij+k9neUFRVx+yueFJDjCcnrjicCxVmV8dT+SmYZCkMwkDuXLB3nvwrF8gihrCAu5DrB/J4T3/4WNPVDm0ilLreJqSkqk06mETMFsM/TuASAHL3ar0Levq5CbCUZS4Y+JSXApFKyZIFSWr0YL0HSUjLAzKcRZbwCrFYdpMUUItNS8iaBJKhASiQZQV/QMiQutWNEo1IB6ua91KgQwRJGSLnAJUglZf2B5KDfKC6Rz7JGlqbjar/j4E2FxBrSFehGvecvtTGejPCIFiFyEVdKlxpEaJgmJYBcOJcAaVyhFC31MoFcoDJAhH5Y6laCyWReArByChNRGVEFG5Ug4qaYZAhGsqoSLCUV/uTo91IyhHsVavIQ7u+/rgG+ebsIfPVDDeabvap48ZChoAxIS33hlJVIuiAkUsmW08GwUkS5SgH9chKXxlkgVE7yUvFy+0vLcilYOZUSH5YHWlR7YfSWTaZkUSxTgn8vp6sikHJU1gWzUsdmIa0kYYwtxNitMEqFc71bPG23W+UEMkREYTWsppt4zn+P1O40pmSsbWgSysWYGa9YWTnf7TSWJNePcrUSDJ1ijnztLBFcH6jNMgIudHbvUHLWnMayvzqdZOzNYNTG/0aAIiSQpy04vIjaU5WGXbRGD4zfCaCzgYiOtb2YybzGurr2XC/3p5WKWLmaUICIjnuzKmBYBUSQi4iOS7ARxFEVxue8CooR52r7XcJDfspQCQRTEXarmYeUigXgBDGigNfF8xq1TMpcEhTORgqnJ6s3mgFKIjr3Eoanq1wPSBwcobEaQYOp3RRps/z1x6+yt1Qbv0bL//8Ee7xEB5h4CWIxFpK3vgeHB+fe4N8D7+Do0/FpwUXGEhpgJuZeghPkQSEXY7Wb7XPrYgccSXwg8WUvIoqF3keWM69Bhx2pwX3UVU1BRLC52lCD78H58Xnf+/HzT95PJwf/9A4PTr1P/Yt/9nclrZTHvHLWGyxW5vxgc1pCGvuJkgM+YyPxsoUuyIlYJMpalLwvCrYhw9/BS3CfZKCCIOEFaZwsP4s4yhHLzqskAGY6M0YxZauPHFbZ8ZUdLKmqXVlTk4cmn0YR8kWnxfnLnMAY+8pABDHrNXTJPVDWNY2jzl1MIUAXYpyJqllhZc/vOikg4feioMtpN2FIbSRfgCJU+QzNzuJzWDfodfTH66c7NX8A+9S7juyMYVF/WZ0NrHaLJOgDDWyjt9J7GNb79Fv6aFzxwHcpoKVh9kqfnK2dd279iX4L/kSV26SIN1hZf0SMoAjENEiztyAR5iJ7CSJCBFTue7qbUOthhSYLXT1xqebrnV9d+y9DBPTXko/J1n6eWjbWbD1btpbFvHZxrhorP0pBHTMY3387ZentmpkK+dEbYuGp2/emBue4YIhF+bYeAoJm0dxuLTacMQr3LgVjdUy8NEkQ8yI4R6y4Iy4g+SEkY+QJHCPwn+DVS17CW7iuaiilhdl825zfg4F3/N+fBxe38u8/L87V37PLn6umgZnKZuOp1s//cdNCqsd+ssxD7T8Pz5+/f1rrj7Y7pnSsRlogRmDU82mcpAJ9sv5qp3v6fJX4yPrWdo1zbd4L0AimkdBObPXlddXx7QblrR6JEAcBItphPFrine7AYCohqfoFrHinpFGw8dV34UjpK3C6hS1EeVH21emFNEaZbUvRT+QSv5GrCVOIJWFufVf6TawEoFD3u5JSXED2AA4UCwpne8+7vefd3vOCWme9Sr/jWtOPFpYfmEwRHoeeHOpmP9qZfZDViRUTLnMYraDHukTt37NY4uYHL2ZmGiSUjhA7PjfWUBcoieaX9PiclwFHyh91Bfjp4NBCBgSPTDkt9GXi+SHyJ17Jy3VlDjk6HYCI0kmqj6MCSqyT7ONzoLLbeBgradKoFhu8ZGMfkhB+wYn1k40TFybYpuI5TrpyYy6zG5hqEE7K4THkh1kIBeYqC5zAGOpSFo9s8oPmFuRTi1TuobHsiQejiM7qp+K+wgCCwdEI+8Bgmg2PLWd9+pWX5La8so9cuwxiTrdz9vny/PNlt7Ozs//m15fum+vbnf1fX7qvr2/3roLbX/fcd9e3u1fB7lX3H1fD3f95/b/dzsHhYf/8srLpZwXH2szZ2dv/21V393Zn76X+87f9q+7er2/dd9d5WtZj0v+/Arz69aW7ZxDeyQxvf9CJt++u5FrqqrvbgpV/g1NYtfTy9FVXPVvLDNnB1NbQa7sAsDm2C4DHXgBsDb22hl5bQ68CZGvotTX0Gm4NvUzyqQ29simmsPKtNaKSS8rVu4bf0mQuEGv3LOG/NLJcZKMhpZN8t2qWqibbGkvR2lgeeq6006SdIe3kqOZFMyWq2VBNhHrSMNOfmvmULrHznZ3qsllOTXB6bitMa2pGs5OZncfMFGZmLztx2TnLTFdmlrKTUzYnZVNRYQayE4+db8w0k80uelIpziX5FKJmDq1eMoY000M2K2gVZ+aATPUbjZ8pev1PptaNNjeEyHV3prKLKjrTzEYhKz1s1a/VupmyVZS3qjXXqFaRqsYX1GamLbWSLOjGTCVqTZgrwKLeK6q7opYrKjer04wqM7Jv6W/0VaamTP+VUjK6SKsgo3lyhaP0TEG9WK2iOaigQ4zqyDSGVRRKP2i1kGkDqwOy93IVcVm5PK3Npfdwjv4n36NpgN5kFf9kq3tH7aMc/UVtdRy1J3D0vsfJdi2FX3qv4pi9hqP3Io7dezh6r+HE+Z+8NrtvcPQ+wZF7AkfvARy93nf0+t4prueVYWyNWUAh0pLWaa7RaZJuFhTBYYu9/uQH7iU0WDOI68d0iBhBAnGQ0OAxY7niPDRWMZrrJGtQF9OaSK7qHuQuGQoGK3gb+/VPbauxdLDlaNvqShGyZDU+ZSggvNQmg0QTxKCa74DTiyGBY6R/j6IUEeEOsW5TnnRqzI8imgYuoQFyi0UYHnel0kCuz7GCGv4of3EDhqeISQ6b4kD2eVZpLoywT1UdGeXgjPf02bCrWjCDwg+Lg1//TeUnY0xuXEzUWa4aHUajyDQ8I3wqKPdhFZwwmlAmVLT9Kk4IE0Zv5k0lS3FX2hW5MRIM+7xCbHc8Qa5292iyDNXOVd9tu4ZwuguS3gKx2JgOuCEkQbQwfPUlTmEa1Q2lbKAvNHcqqB4SqQNR2aXpGIsIDl2WkuKXvCRVQ52xmpZcNeARJshVxoZ1JRgvl7pzFUJWGXBhwLYWbX9OLbl6xaFs1jxts7bEgSggaGaQjYFbbr20/jLi7t5CIzzsGQO7bAWRmpPwAvxOjkQe0lD1AcyXF3r0R3AdvKo/paCXk4K14yYOW9uLRZMj08cXi3qvpVuxWOzRViweyXFsWzFqfh/zyFLU4BKttRCVSmvnLrV12VsB/ab6tqo/ywT0ruJDYcPabFF0JO4msiPzm3orgcDJyDM2OC8yexxP16Ahb6ugYVL6XMpukIl24EZGHkNqQY2T6WtTgXfR/6/+4WWxOgZnSylfavFXZwQjnxI1wvWcARPR1duVoBtAHClvYze6nW6ExtCfu3EaCbVl59wcJrgzyiZyb7XGOK56eJy/NtYjqV8HlAf6Hke35vlxW5PEmr6NGI290ivOlvwKZM627z9b9U6XW2yRzCtYetclYLVjqwawTRetCfa92F+36/V9jHGjR+lHnsY3e7hYKqrJn/R21l7s0XbWVv+1lZYlrq4fWV6a/Vq3ZvNSeW0dWbcufStE31TfVvXnHoVomW+FRxaiRofaWzZf7NGWzdV/rdm82df3o7N5k2PvLZsv9mjL5uq/1WzOWRtnKsaplAn2R9RzeZlNuVCgkv1R5PIE+XiEfRP9b3Pv49kjo5gG+tISVB8EKT9BMWcd9cpJd4W3cBgkyeVFmNc+2GnlNWLyAE4j1CCCusfksvo2r+xycx0vINxDJI0Ra/SBVTBPOjodgEXsNXq0+LxOokMy78r/+dTvmgvRrroeV90t5RHzROUZXPyrZm/c5q1cFHjG/46XkpSnMPIiPGSQzT0pOHWUuAwRODnyzi/6J2cHR5nvdoA5SGiSRsr/w3AOoDpZ1s4hik/acYRAgBnyxUYHJajk1f2rkzfpQ0c/VVfapQDOH6234I4IDxMYe2iYjLyQ0trl24mmlMHtcgokZsb66Mfzn9bv3zAZdf04kEg/nv/kfTo412cE/QXBxub1YNaMbqsOUkrQ3BMpMY8ltT+32n4qVHBpUMHO4b/67v7L/Vfu63d7e7vAZM1V3/q9zu0yc+cZg8/HR9ZhU/49xYo2ObToB67KHJ1/nhz/eOhdfj49+PGkP2hDnxjFo0BHMqnV+Oo7oMPfkC/u3aOi1NWqglpnDR9aiXaMCVZu7VY+tTanbOoZcRonJd1tSwGjlPgymz4D9GnMpz7vBi1M3ds+uVYT1CdM8JFydNeqg2TsJZRGnn4JXdfJfGZmiNNoqo6jpQpXhG4MCKJiX/sCTzd6V1r/gPqr04kxQTcxM6+gvzodAgmVPelSNtYQniYJZaKE5b9SOFk62VdpTHUSiVDZkKG8lNF+JQelESbdGOkkSyJIRPdm/mWzN9exsvQNKRfeqHYPIGcN+Vnrf+NKVnKcypmFvtj8KFmV1+U0ZX5BXHpKjvS3EffUxCl7RqeIRXBed33QvtuSaF6Ig6VCZny+aMlS+Tbto/o3oZiIfJPz1VGGZb09s7lRif1i4lUx8bqYeFNMvC0m/lZM/FBMvGujSgkS2iuOtcGvl9PqIkFyh1ylCkT0euLePBYVdo6lc3hzDF/1Dtj23WtW6Pffl3ak1QN6qeisNx2waBNuVESXh1pGu775y42YdyfUKe1Qb28bbNrllsfuc+WmqRi26g6ufdrskuQg2yUkQ0rp1Q3zaXkMK24+Cizw+eJ4/QH+P3d7r1y3jegmoQ2S1P0tGXeca/B/2hFB4KiewSv8e0/+6RZ8F+Td5tTXd9MBVlt1wvU8KX9LZay6R5DwodBdJb7agROZbYMH4LuNTtc+2LvanN5ZRDS5d5P7HNkyQ/m9/b91X3Zfdo0668RUBN10mBKRysYUTvVXj4mHbiR1m7d4/cJ3u5ZVvtLuTe84ZSpeKTJeOS/AlSKk/lUk5ZVmziuSe+KhqrXckOxKuYh3peB/6Mj8FhJAATPIZfYr+PD/2Z9pImsoZ/3pg0x2dLWFWvMDoaviIJlchWG6cq5Xz5rZiKx0A7ZUZO5tyfBNSdB3TyJBchA8TvBoJJfcgtJaFXciK8+ebOl3lvpMyJ6XyNX3SGjPwsZGRLl0A9nifY3xq3vMJ/xEblskZQUPIZu0WqfMvCEmkM0LzmpW82jelcIrYIJmQJelhmdEU6IYVu6p8gw4buOzqrHj9YxRWsMvOM0sf45pgEcmrlrZaWaVqu0WxITzGRZ+qLxPezENmq3yLSqI4RyEcIrAECECdIvMgoCmAtggoRsett3RWl+vkWwbtcfp4rXAGnbbT3eNUONT+j4dTq/FFQ1G6c+IK2qM1VtxxcOaLW+5KOeipnv1Z8NEdbft9TxUytfCKnslJ65BzibbuOdCzrLN3E7FNu7W7N532xvJrSTiVtjK3OFN97cMsrAKyFZhhahHfwfvXvIt++Ts02xK+Fy4p8HEsJ2+Xm1MuJKX1iBqs2nZsyFqvcnZgxCj0QDp+RCj1jDpHoghAq53qsrIIsKkVtJOL48G+my9HHN8Mds93ebJdnUD3CYuFR2NEOF4irzJD7zxhOEATAidkYLxBkgQEUrgxtoPdAi5Ht7Nj1brfHGBr04yFyElHeMke8f5mA7xwIekm8wdiWNPZqZSMTiyqVwwPEGs8nUX7Db4IlK5MPchcV44kwCPlR8OVZQbpkS9R3IYnEwQ584LJ0GYQYG4QeE+TJD5DdNAeXBSWSNssuqw/9x58dUZUjF026h0GuNx/U7+LMbqTZH218tVNLQ89GCIo8DOgusPRXbF//dKqLe611OyJGoa1YLz5MIms+5qsGC0l8gSWR3wNBhygZ1Pg4tdEzgrNYfJo42ioVRvjz4Ap8fn3Bgs9mLOeglkMEay4F7Ruqtwu1S+4Vr50KRVHMYE+hM4Rp52FBMjIlaelp3rLCDPos0OkED+fR7pViwmHnq5dd+2jGtcRScw9kqneY0Hb+cHn558ImzykCEnwgTG3UBfR+aA+ziAW4eGDcdUz4OG9e4U7kjDhz2uujvNm1a0z4HkDa8nVlG8VEiLw50WRd5ldbhA4qaDnmdA4kd4F/mgpG3e5j4D4jY/oltFkyoHr97utih0I0I3b32fA6EbH1o9LE0ad8DPgiZNr3LuQJM/74laAjmfBcsdU1+GyOAByoAfmt9F4wkbtloN/xxAkl3XK2TKNtgu1yy6C91UbclIYXx5G2httKnMa8dA5uJC7VhbEUogjzc+1GkOnKRyDjFxIzxBoFDCGrRoCJ1kq7Dhj8Yh5aKQFojFheQkGjMRdjHdzDo38bG3t+e98XyGBfZhpM0cMOLNu4RDg2ptdW2OBjWyPqXuvkmQrGOMFXnht+W0QrL6OZfYBWARdUipeFbvAB9H+Sx08o/wNLA8d9z3hnGZYDVsHZ+FYNXvHLeCtRWsNQXrqU8RmgWxaZvwDOSwYY/wiGJYak+7k4lHbN1WSfxxlMQmItx0XvX0InyPx1UNp1WPKG5badtKm5G2BkOvrcBtBW4rcI2by0ZDwE3EsflG4emlsflC4amkqO3dxCO2b7uK/eOI+SaC3Hxj9QwEufHCaisoW0F5bEFpvMZ8DoLSdIu5FZStoDyIoFCBiMAw8mZoaMIT6zjHdRJyAGZoCGCSRMYoQBvl5pGJAWXmx8buDBbezVeEwsTiVzFJC4NZGJHFT0MVTrsOmEdkrS2rNtOwue6aTxacxVqtzfilscjmyvzGL5PGL6I+k2QlTLBgMB5xV1Aacd1wG1t2sUu1X2w1OhLtQiYTiXYBzhYbbMG1+FE9ftwMXk59G/12IauOhlubh1ULU/zSPFrzetbQUXVrwbbNIA8u3NbTQ/kFQMFwQvVWh4lXP03wb5PQEcBNQocB14kMxwQE178zZBUaXP9SUbrVTxMkXA9YVpSKa22GpYBsA4ebhIkerlNT+0vHEdfUz4OJ63Sc/yoUa2OL64SJNa9+6yjj6rcNNa4SNt64Spig47ks6ujjubhXg/hn8chLEBWYvASxlWQMaEKV54BJpWQTvLzAstXw/345Fn8xrnkRWK1aRTrPUjo0eJ5cCMaPdBD0XNJtNPQcEpfaYeKjZ+ksUHoGMRHT87QNnZ5BKqksmHoGMlHVs7RljSydxVnPQFnA9QqkWwzAnn+zkdgziAnJnqdLDbJB2nNAoqO15wAbtj2D0FIvbSD3AsBGdM9BJrR7DmDlVBbsvQwblSAq/HuWLMSBz2E2IHwG0ZHh82QWIr4IymLFl4A2aHwRmEWPLwKzMPIFoI4nXwCkpb6YOPB5uiokJuZ8IW2Cz+eQcpU6HH0hiUvjrAPUF5K8VHwesj4HsXIqC2Kfw6q9MHrLJgvx7Qsw/Hs5XRUBG/o+A8xKHdPB8ItJHRVfQdTS08bHL3kR2rHrZ7141PNNbpkGE+iHaF9OUCqgslrqChobz0ZOKERipqvGgj58BY5ym9ZmVTtDTC9mUZxghrwU+t5wnkC+4gVWyQVUDIUfKl+dbJzGiAhubPk+HxwCXRoQyA8J/j1F6p0jJbK/efVAV2/q3Pzdo96FdNxTeg7cU0qOgTsDP2vnj64P/nrz4a87O+ME/Pzx8PP7AR2JGWTo6hP2GeV0JK5+0fWAz4mcwHe75q/eA5aKXb+w/7eVwSmjvvIfu9Tk9EA/urRmpcpVrB0p41f27g8yV9G6wrqyvpiSLrqRwmnbrZItusm9AHOfTlF9wC/jv7PRuXnC79u1ecJL/r2muSGsq/xZuW6Cl/u8J6Wgd7+nMJpzHTs9jx9tIqpnAeHKBS6IdlYam9gHqMD5Te0tQxQlKv3VmZrClMY4h5wjMkbswNZpQ77PAjgNIIrlRAUcP5xIdTXR8egFVyWoE4IZ/JKGrnEuHyzmFDBCJHAZiqlALpJ6C7kcsama8GXJyJ8o96wqYh9BM4Yi7LumhBbMoYJue5AIHKBhOl6umVLJJZAAie4q/LHikkz/CAqGEfUnQH/cyO2/blrXuNqUuOeXFweHfU/9+6m/kb2w7raOD94o+LbbpYgHOg/waSCFU1AACRUhYpu/AG7s8PnZx/5l/78v1dS0DOno4PJgJdLnwcVq+szIBAsve+XsIe7DCK4mlZy77HmMcniKSYB9KCUX0BEwjtT1uQ0dAeNnfc99/fLV6/UpVz2c+VCMhpFM5Ndc4xS9pg9+7p+cmJnn/ODy507BUF/h5cdunaPjwfnJwb8N9lF/8PHy7Nwb9AeD47PTYkbrp73FGkG9s/f8CHs+bfCurFA0u0niJoxOcYACQK2rPaWaQSvXBi0eNtjn5QUnADUvF5Si9Bscy7p+Z3B2+NEbXF70Dz7Zed3v8HRo2CSHqeOoYlItpHNAIuZdxU+damXffQVOhyORJuqIqIUDBgYJp7FcQHiE1j+eOKec42GECriSBZD1fw9SEijfjmqZJZexWaQHjDYQ/Rb+mjOEkj/l7Djlq9MLaYwyJ8fMnKW/yE7uq8f1Jk0T0eg1OaLjchoPF2BD6E/SpASazWZl58r1LqCZs/MPvNvt7DA1taNbhtQq5ZYhGNzKnTVLlXa+DenME/RWD8qtnGBktjlNmXerHNor2K0s3iDtdg3DVOq18sycbueqK3P9tcUsyXxPMwn3KjcvJe65OAQG7R4uaHY2MwSqfRyqR5jppZheYViIutdwrnd3/6AXEUsGF8HAm6RDpF1a1A3sZYhAjqG8Xej4Xr5aOW8wysskudeVdfZ0paqDSqhL0JbdYyhCkMsFz4jWdfBsAOQnFuuZWfZN5tOhMOQ0o9gk4kPXlPQAHj8qNdS59rg4au26g6EAc49DEgzpjac9xtT1/Eg55uB2JbLvvnzz+tX6Hav1hG/58uaHt97b167K7I5J2mv0ju9EeOi7+939d9onvk2/ellJ71XS+5X0q0r6dSX9ppJ+W0n/TaavG5RCfgOgqO2q3YjLgqEsQYPkXqVVEG47XlPkleJnlxWsRLIB9rJd98axaVaq2noNWzfUq4MeaPLIX5COzK8FGle44T7IO8ZcsLnHUjJB86XT2AG4MNhAY+ekbj2tLTng4Eh0bXO6si0Fzde5uvr5Y//f3snZ4cGJ9+ng8Ofj0/7V1eDsp8tfDi76V4WTH3v0c3V1mDK5l/8XYrKCq6uLlGi63lNhlPhoaYH2WOrqFzp7+/rV/ikNUOvS25W8WBg4vVws71JFx4ERGCjGuLo61vcTy4v6ptrVfjSepm39m7uIoznLaSOWA42a5bXC+VQyeVfimPbzs3UGcEl5rcgdwbkHhYD+RHneW37km4UNg8IPETce+VQhQBcCCu771iJ4zSnvV6dzjgQW51TA2OyAL6hcJkuIoAb0MxWl9H+l2J+XIL+lXHiBj7wiBshRHEaFPkoGjoba1CChNBrAOImQBV0gnlC56TWAr06Hx0NFi5tOfZqIKC4BVNQEW3/BgKB8oXBMpnSC3EsoEKuUXC3YpP0YAR4PC1/fn16efArzIwVTZpGuLbglHaKUL2eR7Ggwu5VRzGLyyiVJoG2a5Op5JO6HXyoEg5yhhFGYhcLoGW3yfsKGYmyh6saiF6U4eP/SjsgEsSEqZtVrKEqiOegljI5ZxoKJEKAnsD9BFhfHCWKcEihQyrOxYoigWQUT8okYC9AroIWQTREXoKc8NU5hZIf6dVrB4yHoWZcdBjimUYAI6EHE99+8tTlxNEUsz+x09CC0G2riexGCk7k3qlW6l6VoFkOG4ISmwu4WXrv7e2/33+pTz1RtBkfp6nFuXIj6YYBZdV/E57w34j1fGSvoOG45mvzHmIrqMzmN9QKYX/tNfjXkalX2vtvm4ExSqeiHp4lSEtEGBdGh74wLHuX1kFDicgFJAFkAZvB+7PJqTzmyY4eU+NnJAF+ADDNzTVfBaw6s1vcq+ScwW/2znRRxOEJDSsVKWRgYxHyt9nCLNOWGuGEl9e/BZf9Ttng6pEQwGg2QXE/p31dXsqk/UtrCiyz3QyQ33oEnIJ/owLGN90EZMpDIShm03abfdRY0axk5E/ihrI0X7wpK3pp1E1poPI6U7vEMhofIiDJfuXOtHe/+iUQHBTSg3TlpD0ymnpVdb1R4pj1dU0HXFK6NA+T+hXM8VZJh62q6Ptd3Jx/kxPlj//DsU98dfD487A8GrahCOBZ4ijzBoI/JittizIHBK7pLTjJzA8oA52Gg7FkSe/FSWDnJhUteyRpU22m+B+33P66+Ue33P66+Ue33P34eXOjTG42k/kVdVAzgbAdCHZllpgZBNFVjFk3NoSCMg7evHeUMTBYif431eU8UBcP2xz12W8kFrY0ZrJcMvsjtWiQmgDbj+jRfvEl0ssrqw9nLmtus1ZRddJro/VtjyGeDVTDakeylpr+cC8HCdfb66qjSV129UkkLOsh0+Gf8G/QnspfnUIT2MvQz+T2lAgVmWys/mS9mO3p0cqJzGvAnNaXIYkyWH81bocXvVhlfQm5zH9EYYvLP8/Pz8hL7EErkErzN0KAo8kIsVczcC1CERMMZhjJI+1kjKt14VEJeg+FKD/vUOEhdz5zuzq/BEH4Z4esOD3d3bOt2/+rsNgmklMh8GVRYKN2VAnweN72EPAB8Hg9phH3likZxpzbTCwtUsdfNArIxUp7/VdRakraIRt7SCCsi9eLY7ZiG6GWUrfbONLDWpI/FB6vO8Fdcl1ZO61ewUPMlvL5312tSeyHftAX7AJzM5rYldRNGZQGrV6CKwAa7tBfblMINd5UdU1ex570O84u38IW4RctvWHZbXfHxCE8R8/x9D8cqyvt6Rza6GODvA1PMSgqtmhJKa85T2r/BAnQWpwP1+dDY7zR9//WQEk4jdP3+/VkqklT0iU8DTMYffr1EN6L7+fKnHyzo+v17mWyzkuOhZ93hosCboPkSR5mDwc/5Tl6iPt5j1IK7QpKHDqm0XOqpCmjfhi5p8rCpb9I5D8uyWgJZi5cM+tDe+etHpcHL4pOOSua7bt1RqXfPeD+j8sSe+upGsWk18ISDWFk03XkMG7wprDmEpaa1c9O3Zk138T9eN5RNrtqecCg3W/rUFLU+VzS4nHrCsWpw9LUdrgcdLrCZt6i6wWx2E/WEY1l0xbTeEDQ6mFpzEKqatJWzqDXr2lQ+mx0GPeGQLpwn3HlIG10NPRWZG93NPCWZC25m1iRzk6OaRyIzFvosUpvi6oh0dUQ2d8iFcHn2zcBcv+Uksjgwoyxen85LTiO6CSPjKimKMI2lm9irQy5/qtnR32kSa0HcyPMRE/qEA3kCxglimIyX7VFPQCFLlY91CeZN0vpEvnskByT8HudRT7aNl95ZJBP8rHwdPcBN6uIuuWZnXN04/2UpJb77ULzNT9VrX9eHbnHsnboi6i6o77Wwb3aM6p9RGvOQVmdJzdLaeHbx1NLaHFjwzy6tj3J6spXuxxrTh5Pu5qX70wr3krh0K2S7VE67Q6gWpf6RNUZjj+4mfGC1AN57gX8omtdLdbuNTJN8Nx90Pql8N208Vh+WLQuX2lqGtzPYY/N7O15fl8Mbj4e3TA62TP7MmBxsfKzeJArLDtefVBKWR3S+44Ku1Vl4i3L/yEu6rew/NsXbyf46Ur3sfuVppXpp+PCS9G2l7b4E5F4L+2Yp/oDStuSa7YmlbVlg+q20PYiA3Gth3yzFN5a2NKCIcS+hEfZz/whLLgJ1BqAzSDFCDXfaStpoKoC9X273HqRR/JydKwLq7gI/fABXRtR0466cXXBF1rAgbc0mV2U+uXJegKsyp1RALIkrkEVuqSAQnaVYl+SYCtY8tQVbrikgVPjmyrnehCOaLpuejCPaX0B9sA6wTO+cZ2bS2kDzxtXlMyR5Zb25QPES9vLD/2WjtTYtG49bn46WrwvE3MDeo+SjvcnzW0bKRT9Y3/IMeHc+WHIS83Sc0P50ZqVcLT2DeRDJWrILfoYUXdgZPwxNmvcqz5Em1f3LqvnyafTH4/jdWDbYOPBkl5c/hINg8Pn4SI9sMdbE+iO3w5FIcVB48n57CwxMghRsd3E3oNe0YOAdqxbJuWIBJyuy+MW62F61kRuqICoBbbOs5An2MU25N8SCwyDGpPmV+UEBH2T4mTPuhwwIIbGzGpe+M4dBILPpA+zM98UL7ayJpzFqx1MZXTIO9vwIN0bny70lxZDAsXaGYSLxlUObKKdAGfpKErV1OYBJ9o5bSpXy2ysibbWa351oBmoRKqBAgCCKmq18j6IIyI8CESAogEUOyex9V3ZyCR/oASxywlfgdLpBpP0qFD9rIfgKnMP3BZ98A+WH4dX+1VWrjXfWbSICLgewWRwGeVcVDqAjYHNt0uUa1rfFLuV8iVRh+ztxulKkS3XoBfIREdE8G3LK8nlRZtfq9e6KoFnH7qxQnYsTn26QfiTuySkU/Cd49ZLvZmTLSatkoe3xgnYaH0ABAzrW8VB6KB6iIECBnlltPJRViNo1iJswOkSt8JGfMizmbusaTH/aZ1COV5aiZz2s72cPJnFPRwnpwVRQE2XEW3Q9Frgh5cLNYsjVfMsUVhNWPUJ9oy3Ej1IuELNhcVZLhhqloOR0oPkE7sA6kXnyZWOTUb7arOk+mb+l6AhLPqsl58KnP/ih+d3PKdflqIYTvOfEUfWG41uOujNHPfWRZh0HLnHa80wYsOHW/P75r1RtO1vo+2/EH1oI1mPRpmPiZ8Oi92+6uOWrR+Cr5mPnZ8NZzaaA988hVfXXynLw/puxZdQFRm0+zX8+jNpo3bblkMfgkMa7jWfEIU0WWVsOuV8OEZAtP8m7hAxA5od4ilq7qG5xFJ1fU9nuCciWxNJUNTsvHL/FeYwQc0+7g8TEqx6gVxleOYJUoVghuLz898McwRcYvUICxdc6AmUAeei8KHBjgbkWPw1VJNA6oIAC+25jWbWZhs1113yyYFfX1ZDxS2ORzZX5jV8mjV9EfSYpFZhgwWA84q4KgqobnvL5kN7Udan2i61mhGvpMOHhu1c1cLbYYAuuxY/q8eNm8HLq+8rVck3WhDZSklULU/zSPFrzetb4wsM3DWDbZlDy+SoFtv6YfY0LKZESgiJPMDgaYd+il1SawsBkDJRndSbAiLIZZIEK1m0dY5uca0j7zk7ZlXCCp1QQ6PvYyYP72I9jykXZ5XJV951IRX8o/7lwrndlCYXyFQaXwwDkn6pf+0pRFxJNlXck/5ktYis85uzs7L/59aX75vp2Z//Xl+7r69u9q+D21z333fXuVbB71f3H1XD3f17/r3MNqi2SneI8TIWIkLOsMer6UYdul7/UybyKrk8Wu6kKpT4UCyWaBnc7O5eH56/dk+PBZf/0/e3g7PDjQEW5raUYpgEmqlr9SxkYBITLGl4AJ4SE279uOkyJSGUy0bzlkrEm90j+eZUwejOXv8iY0UltGP28Yq1NgROYv+aP/ldrMuCYP1/0n4n+o/TP9eoZPeWIefbpmxDzOgk40LGZi660pxgCSIAKOwR9Iad7rhl6fUGou3mWFcNA0ZugmUxpJ1ZBIH8XIlMUlEL7q7dvZYVWt9DJrg+PWqxx1CgbT/ItRtlgPuooB0iJdICiP9PIrhw5c5/vqcDcNFYGI4YA9YNYQNQh7qnQEUCieft781VWBBULgZuY4XHHmAgkqZswTBkWNrJcoKKbuRGaIhugjEES0PjG3RsP3QSOszALXDAo0vg/hJ9UIJxHZcjeItLeItb+ItZ+AYtgHxUi3M0RT+gMsTYWDrMYeyqYPiZjvYGoGxDrkTzbJEiZ+uXT8cZDUBahr45qt2pGR2584kDZdNRNL3lOWc8vMT5n00FfoTd0+v8GAAD//1BLBwjjxgVjFjQAABSDAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA0AAABjdXN0b20ucG9saWN5zI9Ba9tAEIXv/hUP91zHplWNBTkY2kMPaUPIPYy1I2va1Y7YGVnWvy+yHAglUJpTrsP33nzvA77f3f98eNz/eCzxLYgbXOGNGGqJjEFiRFLHgZG5jlw5B0iCN4yv5BT0iH3XgVKY4QNDT5yHLO6cMIg3SDyg0yjVOLcGHVJUCrbCfWQyRqtB6hG5j2yv1deaUfcxou5T5aKJovi4Wpw4m2gqsSy2X7bLxaWgXADAR0go8UApaJuo5csRCGxVls7n1PJ6rSU652tyTqvh9hbLKKk/P2N87jLb/FE7Tqtpzmpqv7Ds1Y01FHS46chs0Byek0GMDpFDiZqi8QvDdnyiIyd/mtxfk7wbsZ8AvADe4Mtnrv7ytebfes7mv+hER3aqrPUmM7ldjCefzN7nZPo7s3WajDfbzabYFZ93n97nFh+7q9B/LFoX6/VuW7yXRX8CAAD//1BLBwgtbaydVAEAALYDAABQSwECFAAUAAgACAAAAAAA48YFYxY0AAAUgwEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALW2snVQBAAC2AwAADQAAAAAAAAAAAAAAAABSNAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADhNQAAAAA= + string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA= headers: content-type: - application/zip diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen index d36fbc87a3..36ea0d2609 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2024-05-28T19:38:09.490Z \ No newline at end of file +2025-04-18T09:10:14.669Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml index 00430a1725..bb9caf6e82 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +11,9 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"id":"qdg-dfm-kku","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1716925089625,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1716925089625,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","defaultRule":false,"enabled":true,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + string: '{"data":{"id":"03s-ro8-kgi","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414924,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414924,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' @@ -25,20 +24,19 @@ interactions: code: 200 message: OK - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path - = sh"},"id":"qdg-dfm-kku","type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name"},"id":"03s-ro8-kgi","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi response: body: string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089` - error: syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]} + rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` + error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]} ' headers: @@ -53,7 +51,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen index e732e6152e..30a73c79d2 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-05-28T19:38:10.057Z \ No newline at end of file +2025-04-18T09:45:20.422Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml index ea2ec7b554..3b9fd1abb6 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_not_found_response.yaml @@ -1,17 +1,17 @@ interactions: - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\""},"id":"abc-123-xyz","type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\""},"id":"invalid-agent-rule-id","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id response: body: - string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-123-xyz)"]} + string: '{"errors":["Not found"]} ' headers: diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen index 14aae3e61f..0ad336788e 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-05-28T19:38:10.219Z \ No newline at end of file +2025-04-18T09:10:15.690Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml index b3c78380a7..c5e27ed0c9 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_cloud_workload_security_agent_rule_returns_ok_response.yaml @@ -1,7 +1,7 @@ interactions: - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415"},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +11,9 @@ interactions: uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules response: body: - string: '{"data":{"id":"wmz-xld-san","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1716925090332,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1716925090332,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + string: '{"data":{"id":"szj-quo-wak","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967416010,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967416010,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' @@ -25,21 +24,20 @@ interactions: code: 200 message: OK - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\""},"id":"wmz-xld-san","type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"Updated Agent rule","expression":"exec.file.name + == \"sh\""},"id":"szj-quo-wak","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak response: body: - string: '{"data":{"id":"wmz-xld-san","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1716925090332,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1716925090525,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","enabled":true,"defaultRule":false,"creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI + string: '{"data":{"id":"szj-quo-wak","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415","description":"Updated + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967416010,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967416272,"filters":["os + == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} ' @@ -55,7 +53,7 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.frozen new file mode 100644 index 0000000000..27be8fe236 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2025-04-15T09:10:08.098Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.yaml new file mode 100644 index 0000000000..86339c3850 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_bad_request_response.yaml @@ -0,0 +1,58 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"pp8-iw5-agt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708208235,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"pp8-iw5-agt","type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt + response: + body: + string: '{"errors":[{"title":"failed to update policy"}]} + + ' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.frozen new file mode 100644 index 0000000000..435b652a26 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.frozen @@ -0,0 +1 @@ +2025-04-01T14:31:00.854Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.yaml new file mode 100644 index 0000000000..ff8d65b9f3 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_not_found_response.yaml @@ -0,0 +1,22 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":[],"name":"my_agent_policy"},"id":"non-existent-policy-id","type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id + response: + body: + string: '{"errors":[{"title":"failed to update policy"}]} + + ' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.frozen new file mode 100644 index 0000000000..562f84a677 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-04-15T09:10:09.401Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.yaml new file mode 100644 index 0000000000..98296b1ee0 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_policy_returns_ok_response.yaml @@ -0,0 +1,58 @@ +interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"99n-cjh-wuo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708209551,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"99n-cjh-wuo","type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: PATCH + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo + response: + body: + string: '{"data":{"id":"99n-cjh-wuo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"updated_agent_policy","policyVersion":"2","priority":1000000001,"ruleCount":226,"updateDate":1744708210164,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen index 97a67f75df..12d907c5d0 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.frozen @@ -1 +1 @@ -2024-05-28T19:38:08.047Z \ No newline at end of file +2025-04-15T09:10:11.192Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml index 0bb9270357..b8ce03a46f 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_bad_request_response.yaml @@ -1,7 +1,27 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"1i5-k3r-2dg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708211304,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","policy_id":"1i5-k3r-2dg","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +31,10 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"data":{"id":"0wn-l36-875","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716925088306,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"qtl-8mk-8gy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1744708211716,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088","updateDate":1716925088306,"updater":{"name":"CI + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","updateDate":1744708211716,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: @@ -23,20 +43,20 @@ interactions: code: 200 message: OK - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"open.file.path - = sh"},"id":"0wn-l36-875","type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","policy_id":"1i5-k3r-2dg","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy response: body: - string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088` error: - syntax error `1:18: unexpected token \"sh\" (expected \"~\")`)"]}' + string: '{"errors":[{"title":"failed to update rule"}]} + + ' headers: content-type: - application/json @@ -49,7 +69,23 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg response: body: string: '' diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen index 55a64f021b..1a52f175ee 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:51.488Z \ No newline at end of file +2025-04-01T14:31:02.941Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml index a58608b19e..126a4a8b0d 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_not_found_response.yaml @@ -1,14 +1,34 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"jnw-szj-ssb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517862965,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\""},"id":"abc-123-xyz","type":"agent_rule"}}' + == \"sh\"","policy_id":"jnw-szj-ssb","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id response: body: string: '{"errors":[{"title":"failed to update rule"}]} @@ -20,4 +40,20 @@ interactions: status: code: 404 message: Not Found +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jnw-szj-ssb + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen index b8c550f338..4dd297f02f 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.frozen @@ -1 +1 @@ -2024-04-23T17:57:51.647Z \ No newline at end of file +2025-04-01T14:31:03.998Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml index 0cabaf36b2..0b916c1503 100644 --- a/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_update_a_csm_threats_agent_rule_returns_ok_response.yaml @@ -1,7 +1,27 @@ interactions: +- request: + body: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1743517863"},"type":"policy"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + string: '{"data":{"id":"evg-ugc-rb3","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsokresponse1743517863","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517864028,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK - request: body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsokresponse1713895071"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsokresponse1743517863","policy_id":"evg-ugc-rb3","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: accept: - application/json @@ -11,10 +31,11 @@ interactions: uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules response: body: - string: '{"data":{"id":"0am-0rq-wvm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895071711,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"pqr-gh6-gj4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517864391,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1713895071","updateDate":1713895071711,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1743517863","updateDate":1743517864391,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -22,21 +43,22 @@ interactions: code: 200 message: OK - request: - body: '{"data":{"attributes":{"description":"Test Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\""},"id":"0am-0rq-wvm","type":"agent_rule"}}' + body: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name + == \"sh\"","policy_id":"evg-ugc-rb3","product_tags":[]},"id":"pqr-gh6-gj4","type":"agent_rule"}}' headers: accept: - application/json content-type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4?policy_id=evg-ugc-rb3 response: body: - string: '{"data":{"id":"0am-0rq-wvm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1713895071000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + string: '{"data":{"id":"pqr-gh6-gj4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1743517864000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1713895071","updateDate":1713895072276,"updater":{"name":"","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsokresponse1743517863","updateDate":1743517865118,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: content-type: - application/json @@ -49,7 +71,23 @@ interactions: accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4 + response: + body: + string: '' + headers: + content-type: + - application/json + status: + code: 204 + message: No Content +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/evg-ugc-rb3 response: body: string: '' diff --git a/tests/v2/features/csm_threats.feature b/tests/v2/features/csm_threats.feature index 17d49528c5..b6479f1cf8 100644 --- a/tests/v2/features/csm_threats.feature +++ b/tests/v2/features/csm_threats.feature @@ -11,69 +11,111 @@ Feature: CSM Threats And a valid "appKeyAuth" key in the system And an instance of "CSMThreats" API + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Bad Request" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Conflict" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 409 Conflict + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "OK" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Bad Request" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Conflict" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "OK" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": ["os == \"linux\""], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Conflict" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "OK" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "Not Found" response + Given new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -85,27 +127,42 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "Not Found" response + Given new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -116,8 +173,12 @@ Feature: CSM Threats And request contains "agent_rule_id" parameter from "agent_rule.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get all CSM Threats Agent policies returns "OK" response + Given new "ListCSMThreatsAgentPolicies" request + When the request is sent + Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all CSM Threats Agent rules returns "OK" response @@ -127,11 +188,9 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all Cloud Workload Security Agent rules returns "OK" response - Given there is a valid "agent_rule" in the system - And new "ListCloudWorkloadSecurityAgentRules" request + Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK - And the response "data[0].type" is equal to "agent_rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get the latest CSM Threats policy returns "OK" response @@ -145,49 +204,87 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Bad Request" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": ["env:test"], "hostTagsLists": [["env:test"]], "name": ""}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Concurrent Modification" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 409 Concurrent Modification + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Not Found" response + Given new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "non-existent-policy-id", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "Updated agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "updated_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Bad Request" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response - Given new "UpdateCSMThreatsAgentRule" request - And there is a valid "agent_rule" in the system + Given there is a valid "agent_rule_rc" in the system + And there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Not Found" response - Given new "UpdateCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "non-existent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name"}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @@ -196,15 +293,15 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Not Found" response Given new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found @@ -213,8 +310,6 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "Updated Agent rule", "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" diff --git a/tests/v2/features/given.json b/tests/v2/features/given.json index 7b12664d37..696fef088c 100644 --- a/tests/v2/features/given.json +++ b/tests/v2/features/given.json @@ -555,7 +555,7 @@ "parameters": [ { "name": "body", - "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true\n }\n }\n}" + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" } ], "step": "there is a valid \"agent_rule_rc\" in the system", @@ -563,6 +563,18 @@ "tag": "CSM Threats", "operationId": "CreateCSMThreatsAgentRule" }, + { + "parameters": [ + { + "name": "body", + "value": "{\n \"data\": {\n \"type\": \"policy\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My agent policy\",\n \"hostTags\": [\"env:staging\"],\n \"enabled\": true\n }\n }\n}" + } + ], + "step": "there is a valid \"policy_rc\" in the system", + "key": "policy", + "tag": "CSM Threats", + "operationId": "CreateCSMThreatsAgentPolicy" + }, { "parameters": [ { diff --git a/tests/v2/features/undo.json b/tests/v2/features/undo.json index 6e56bb4431..aad61cf15e 100644 --- a/tests/v2/features/undo.json +++ b/tests/v2/features/undo.json @@ -2135,12 +2135,49 @@ "type": "idempotent" } }, + "ListCSMThreatsAgentPolicies": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "CreateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "operationId": "DeleteCSMThreatsAgentPolicy", + "parameters": [ + { + "name": "policy_id", + "source": "data.id" + } + ], + "type": "unsafe" + } + }, "DownloadCSMThreatsPolicy": { "tag": "CSM Threats", "undo": { "type": "safe" } }, + "DeleteCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, + "GetCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "UpdateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, "ListPipelines": { "tag": "Observability Pipelines", "undo": {