From 056968873ee44d30e327303bdea61010760c7e04 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Mon, 28 Apr 2025 14:22:14 +0000 Subject: [PATCH] Regenerate client from commit 696be8b0 of spec repo --- .apigentools-info | 8 +- .generator/schemas/v2/openapi.yaml | 513 ++++++++-- .../frozen.json | 1 + .../recording.har | 67 ++ .../frozen.json | 1 + .../recording.har | 109 +++ .../frozen.json | 2 +- .../recording.har | 111 ++- .../frozen.json | 2 +- .../recording.har | 123 ++- .../frozen.json | 2 +- .../recording.har | 111 ++- .../frozen.json | 2 +- .../recording.har | 123 ++- .../frozen.json | 1 + .../recording.har | 57 ++ .../frozen.json | 1 + .../recording.har | 152 +++ .../frozen.json | 2 +- .../recording.har | 10 +- .../frozen.json | 2 +- .../recording.har | 138 ++- .../frozen.json | 2 +- .../recording.har | 18 +- .../frozen.json | 2 +- .../recording.har | 34 +- .../frozen.json | 1 + .../recording.har | 57 ++ .../frozen.json | 1 + .../recording.har | 152 +++ .../frozen.json | 2 +- .../recording.har | 10 +- .../frozen.json | 2 +- .../recording.har | 142 ++- .../frozen.json | 2 +- .../recording.har | 18 +- .../frozen.json | 2 +- .../recording.har | 36 +- .../frozen.json | 1 + .../recording.har | 57 ++ .../frozen.json | 2 +- .../recording.har | 10 +- .../frozen.json | 2 +- .../recording.har | 100 +- .../frozen.json | 2 +- .../recording.har | 10 +- .../frozen.json | 2 +- .../recording.har | 14 +- .../frozen.json | 1 + .../recording.har | 162 ++++ .../frozen.json | 1 + .../recording.har | 67 ++ .../frozen.json | 1 + .../recording.har | 162 ++++ .../frozen.json | 2 +- .../recording.har | 137 ++- .../frozen.json | 2 +- .../recording.har | 109 ++- .../frozen.json | 2 +- .../recording.har | 148 ++- .../frozen.json | 2 +- .../recording.har | 40 +- .../frozen.json | 2 +- .../recording.har | 22 +- .../frozen.json | 2 +- .../recording.har | 44 +- .../CreateCSMThreatsAgentPolicy.ts | 31 + .../csm-threats/CreateCSMThreatsAgentRule.ts | 7 +- .../CreateCloudWorkloadSecurityAgentRule.ts | 3 +- .../DeleteCSMThreatsAgentPolicy.ts | 24 + .../csm-threats/DeleteCSMThreatsAgentRule.ts | 4 + .../csm-threats/GetCSMThreatsAgentPolicy.ts | 24 + .../v2/csm-threats/GetCSMThreatsAgentRule.ts | 4 + .../ListCSMThreatsAgentPolicies.ts | 17 + .../UpdateCSMThreatsAgentPolicy.ts | 36 + .../csm-threats/UpdateCSMThreatsAgentRule.ts | 10 +- .../UpdateCloudWorkloadSecurityAgentRule.ts | 5 +- features/support/scenarios_model_mapping.ts | 51 + features/v2/csm_threats.feature | 189 +++- features/v2/given.json | 14 +- features/v2/undo.json | 37 + .../apis/CSMThreatsApi.ts | 900 ++++++++++++++++-- packages/datadog-api-client-v2/index.ts | 17 + ...rkloadSecurityAgentPoliciesListResponse.ts | 53 ++ ...udWorkloadSecurityAgentPolicyAttributes.ts | 172 ++++ ...loadSecurityAgentPolicyCreateAttributes.ts | 85 ++ ...udWorkloadSecurityAgentPolicyCreateData.ts | 64 ++ ...orkloadSecurityAgentPolicyCreateRequest.ts | 54 ++ .../CloudWorkloadSecurityAgentPolicyData.ts | 70 ++ ...loudWorkloadSecurityAgentPolicyResponse.ts | 53 ++ .../CloudWorkloadSecurityAgentPolicyType.ts | 16 + ...loadSecurityAgentPolicyUpdateAttributes.ts | 84 ++ ...udWorkloadSecurityAgentPolicyUpdateData.ts | 72 ++ ...orkloadSecurityAgentPolicyUpdateRequest.ts | 54 ++ ...oadSecurityAgentPolicyUpdaterAttributes.ts | 60 ++ .../CloudWorkloadSecurityAgentRuleAction.ts | 2 +- ...loudWorkloadSecurityAgentRuleAttributes.ts | 44 +- ...rkloadSecurityAgentRuleCreateAttributes.ts | 20 +- ...loudWorkloadSecurityAgentRuleCreateData.ts | 4 +- ...dWorkloadSecurityAgentRuleCreateRequest.ts | 4 +- ...kloadSecurityAgentRuleCreatorAttributes.ts | 6 +- .../CloudWorkloadSecurityAgentRuleData.ts | 8 +- .../CloudWorkloadSecurityAgentRuleKill.ts | 2 +- .../CloudWorkloadSecurityAgentRuleResponse.ts | 4 +- .../CloudWorkloadSecurityAgentRuleType.ts | 2 +- ...rkloadSecurityAgentRuleUpdateAttributes.ts | 24 +- ...loudWorkloadSecurityAgentRuleUpdateData.ts | 8 +- ...dWorkloadSecurityAgentRuleUpdateRequest.ts | 4 +- ...kloadSecurityAgentRuleUpdaterAttributes.ts | 6 +- ...dWorkloadSecurityAgentRulesListResponse.ts | 4 +- .../models/ObjectSerializer.ts | 33 + 111 files changed, 4871 insertions(+), 639 deletions(-) create mode 100644 cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/recording.har create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/frozen.json create mode 100644 cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/recording.har create mode 100644 examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.ts create mode 100644 examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.ts create mode 100644 examples/v2/csm-threats/GetCSMThreatsAgentPolicy.ts create mode 100644 examples/v2/csm-threats/ListCSMThreatsAgentPolicies.ts create mode 100644 examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPoliciesListResponse.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateAttributes.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateData.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateRequest.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyData.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyResponse.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyType.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateAttributes.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateData.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateRequest.ts create mode 100644 packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.ts diff --git a/.apigentools-info b/.apigentools-info index 91d33b8188f4..29e0297dd8d1 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-04-24 15:56:58.742206", - "spec_repo_commit": "d2685952" + "regenerated": "2025-04-28 14:20:31.583327", + "spec_repo_commit": "696be8b0" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-04-24 15:56:58.758204", - "spec_repo_commit": "d2685952" + "regenerated": "2025-04-28 14:20:31.601102", + "spec_repo_commit": "696be8b0" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 047415167c10..5490b0f1d64d 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -209,13 +209,29 @@ components: schema: type: string CloudWorkloadSecurityAgentRuleID: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3b5-v82-ns6 in: path name: agent_rule_id required: true schema: type: string + CloudWorkloadSecurityPathAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: path + name: policy_id + required: true + schema: + type: string + CloudWorkloadSecurityQueryAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: query + name: policy_id + required: false + schema: + type: string ConfluentAccountID: description: Confluent Account ID. in: path @@ -7020,8 +7036,240 @@ components: type: string x-enum-varnames: - CLOUD_CONFIGURATION + CloudWorkloadSecurityAgentPoliciesListResponse: + description: Response object that includes a list of Agent policies + properties: + data: + description: A list of Agent policy objects + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: array + type: object + CloudWorkloadSecurityAgentPolicyAttributes: + description: A Cloud Workload Security Agent policy returned by the API + properties: + blockingRulesCount: + description: The number of rules with the blocking feature in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + datadogManaged: + description: Whether the policy is managed by Datadog + example: false + type: boolean + description: + description: The description of the policy + example: My agent policy + type: string + disabledRulesCount: + description: The number of rules that are disabled in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + enabled: + description: Whether the Agent policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + monitoringRulesCount: + description: The number of rules in the monitoring state in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + name: + description: The name of the policy + example: my_agent_policy + type: string + policyVersion: + description: The version of the policy + example: '1' + type: string + priority: + description: The priority of the policy + example: 10 + format: int64 + type: integer + ruleCount: + description: The number of rules in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + updateDate: + description: Timestamp in milliseconds when the policy was last updated + example: 1624366480320 + format: int64 + type: integer + updatedAt: + description: When the policy was last updated, timestamp in milliseconds + example: 1624366480320 + format: int64 + type: integer + updater: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + type: object + CloudWorkloadSecurityAgentPolicyCreateAttributes: + description: Create a new Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + required: + - name + type: object + CloudWorkloadSecurityAgentPolicyCreateData: + description: Object for a single Agent rule + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateAttributes' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyCreateRequest: + description: Request object that includes the Agent policy to create + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyAttributes' + id: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + type: object + CloudWorkloadSecurityAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + CloudWorkloadSecurityAgentPolicyResponse: + description: Response object that includes an Agent policy + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: object + CloudWorkloadSecurityAgentPolicyType: + default: policy + description: The type of the resource, must always be `policy` + enum: + - policy + example: policy + type: string + x-enum-varnames: + - POLICY + CloudWorkloadSecurityAgentPolicyUpdateAttributes: + description: Update an existing Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + type: object + CloudWorkloadSecurityAgentPolicyUpdateData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateAttributes' + id: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyID' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyUpdateRequest: + description: Request object that includes the Agent policy with the attributes + to update + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyUpdaterAttributes: + description: The attributes of the user who last updated the policy + properties: + handle: + description: The handle of the user + example: datadog.user@example.com + type: string + name: + description: The name of the user + example: Datadog User + nullable: true + type: string + type: object CloudWorkloadSecurityAgentRuleAction: - description: The action the rule can perform if triggered. + description: The action the rule can perform if triggered properties: filter: description: SECL expression used to target the container to apply the action @@ -7031,77 +7279,82 @@ components: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' type: object CloudWorkloadSecurityAgentRuleActions: - description: The array of actions the rule can perform if triggered. + description: The array of actions the rule can perform if triggered items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAction' nullable: true type: array CloudWorkloadSecurityAgentRuleAttributes: - description: A Cloud Workload Security Agent rule returned by the API. + description: A Cloud Workload Security Agent rule returned by the API properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' agentConstraint: - description: The version of the agent. + description: The version of the Agent type: string category: - description: The category of the Agent rule. + description: The category of the Agent rule example: Process Activity type: string creationAuthorUuId: - description: The ID of the user who created the rule. + description: The ID of the user who created the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string creationDate: - description: When the Agent rule was created, timestamp in milliseconds. + description: When the Agent rule was created, timestamp in milliseconds example: 1624366480320 format: int64 type: integer creator: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreatorAttributes' defaultRule: - description: Whether the rule is included by default. + description: Whether the rule is included by default example: false type: boolean description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array name: - description: The name of the Agent rule. + description: The name of the Agent rule example: my_agent_rule type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array updateAuthorUuId: - description: The ID of the user who updated the rule. + description: The ID of the user who updated the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string updateDate: - description: Timestamp in milliseconds when the Agent rule was last updated. + description: Timestamp in milliseconds when the Agent rule was last updated example: 1624366480320 format: int64 type: integer updatedAt: - description: When the Agent rule was last updated, timestamp in milliseconds. + description: When the Agent rule was last updated, timestamp in milliseconds example: 1624366480320 format: int64 type: integer updater: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdaterAttributes' version: - description: The version of the Agent rule. + description: The version of the Agent rule example: 23 format: int64 type: integer @@ -7114,15 +7367,15 @@ components: example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array @@ -7130,12 +7383,21 @@ components: description: The name of the Agent rule. example: my_agent_rule type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b + type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array required: - name - expression type: object CloudWorkloadSecurityAgentRuleCreateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateAttributes' @@ -7146,7 +7408,7 @@ components: - type type: object CloudWorkloadSecurityAgentRuleCreateRequest: - description: Request object that includes the Agent rule to create. + description: Request object that includes the Agent rule to create properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateData' @@ -7154,50 +7416,50 @@ components: - data type: object CloudWorkloadSecurityAgentRuleCreatorAttributes: - description: The attributes of the user who created the Agent rule. + description: The attributes of the user who created the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRuleData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAttributes' id: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' type: object CloudWorkloadSecurityAgentRuleID: - description: The ID of the agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string CloudWorkloadSecurityAgentRuleKill: description: Kill system call applied on the container matching the rule properties: signal: - description: Supported signals for the kill system call. + description: Supported signals for the kill system call type: string type: object CloudWorkloadSecurityAgentRuleResponse: - description: Response object that includes an Agent rule. + description: Response object that includes an Agent rule properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: object CloudWorkloadSecurityAgentRuleType: default: agent_rule - description: The type of the resource. The value should always be `agent_rule`. + description: The type of the resource, must always be `agent_rule` enum: - agent_rule example: agent_rule @@ -7205,23 +7467,32 @@ components: x-enum-varnames: - AGENT_RULE CloudWorkloadSecurityAgentRuleUpdateAttributes: - description: Update an existing Cloud Workload Security Agent rule. + description: Update an existing Cloud Workload Security Agent rule properties: description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" + type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array type: object CloudWorkloadSecurityAgentRuleUpdateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateAttributes' @@ -7235,7 +7506,7 @@ components: type: object CloudWorkloadSecurityAgentRuleUpdateRequest: description: Request object that includes the Agent rule with the attributes - to update. + to update properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateData' @@ -7243,23 +7514,23 @@ components: - data type: object CloudWorkloadSecurityAgentRuleUpdaterAttributes: - description: The attributes of the user who last updated the Agent rule. + description: The attributes of the user who last updated the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRulesListResponse: - description: Response object that includes a list of Agent rule. + description: Response object that includes a list of Agent rule properties: data: - description: A list of Agent rules objects. + description: A list of Agent rules objects items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: array @@ -48801,8 +49072,10 @@ paths: x-terraform-resource: appsec_waf_exclusion_filter /api/v2/remote_config/products/cws/agent_rules: get: - description: Get the list of Cloud Security Management Threats Agent rules. + description: Get the list of Cloud Security Management Threats Agent rules operationId: ListCSMThreatsAgentRules + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -48819,14 +49092,14 @@ paths: - CSM Threats post: description: Create a new Cloud Security Management Threats Agent rule with - the given parameters. + the given parameters operationId: CreateCSMThreatsAgentRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -48849,10 +49122,11 @@ paths: x-codegen-request-body-name: body /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Cloud Security Management Threats Agent rule. + description: Delete a specific Cloud Security Management Threats Agent rule operationId: DeleteCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '204': description: OK @@ -48867,10 +49141,11 @@ paths: - CSM Threats get: description: Get the details of a specific Cloud Security Management Threats - Agent rule. + Agent rule operationId: GetCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -48894,12 +49169,13 @@ paths: operationId: UpdateCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': @@ -48922,6 +49198,54 @@ paths: tags: - CSM Threats x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/policy: + get: + description: Get the list of Cloud Security Management Threats Agent policies + operationId: ListCSMThreatsAgentPolicies + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPoliciesListResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get all CSM Threats Agent policies + tags: + - CSM Threats + post: + description: Create a new Cloud Security Management Threats Agent policy with + the given parameters + operationId: CreateCSMThreatsAgentPolicy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateRequest' + description: The definition of the new Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '409': + $ref: '#/components/responses/ConflictResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Create a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/cws/policy/download: get: description: 'The download endpoint generates a CSM Threats policy file from @@ -48947,6 +49271,83 @@ paths: summary: Get the latest CSM Threats policy tags: - CSM Threats + /api/v2/remote_config/products/cws/policy/{policy_id}: + delete: + description: Delete a specific Cloud Security Management Threats Agent policy + operationId: DeleteCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '202': + description: OK + '204': + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Delete a CSM Threats Agent policy + tags: + - CSM Threats + get: + description: Get the details of a specific Cloud Security Management Threats + Agent policy + operationId: GetCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get a CSM Threats Agent policy + tags: + - CSM Threats + patch: + description: 'Update a specific Cloud Security Management Threats Agent policy. + + Returns the Agent policy object when the request is successful.' + operationId: UpdateCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateRequest' + description: New definition of the Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '409': + $ref: '#/components/responses/ConcurrentModificationResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Update a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/obs_pipelines/pipelines: post: description: Create a new pipeline. @@ -51852,7 +52253,7 @@ paths: - security_monitoring_notification_profiles_write /api/v2/security_monitoring/cloud_workload_security/agent_rules: get: - description: Get the list of Agent rules. + description: Get the list of Agent rules operationId: ListCloudWorkloadSecurityAgentRules responses: '200': @@ -51880,7 +52281,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -51907,7 +52308,7 @@ paths: - security_monitoring_cws_agent_rules_write /api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Agent rule. + description: Delete a specific Agent rule operationId: DeleteCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -51928,7 +52329,7 @@ paths: permissions: - security_monitoring_cws_agent_rules_write get: - description: Get the details of a specific Agent rule. + description: Get the details of a specific Agent rule operationId: GetCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -51964,7 +52365,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/frozen.json new file mode 100644 index 000000000000..39b34586a72b --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/frozen.json @@ -0,0 +1 @@ +"2025-04-15T09:10:06.353Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/recording.har new file mode 100644 index 000000000000..05dcef36f8c4 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_3409010185/recording.har @@ -0,0 +1,67 @@ +{ + "log": { + "_recordingName": "CSM Threats/Create a CSM Threats Agent policy returns \"Bad Request\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "883ed00c3ccd7f5dcf4665bf3a474c74", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 135, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[],\"hostTagsLists\":[],\"name\":\"test\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 49, + "content": { + "mimeType": "application/json", + "size": 49, + "text": "{\"errors\":[{\"title\":\"failed to create policy\"}]}\n" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 400, + "statusText": "Bad Request" + }, + "startedDateTime": "2025-04-15T09:10:06.569Z", + "time": 191 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/frozen.json new file mode 100644 index 000000000000..ec8b9a8122d4 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/frozen.json @@ -0,0 +1 @@ +"2025-04-15T09:10:06.769Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/recording.har new file mode 100644 index 000000000000..8ca5bf31ea80 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-policy-returns-OK-response_1087984389/recording.har @@ -0,0 +1,109 @@ +{ + "log": { + "_recordingName": "CSM Threats/Create a CSM Threats Agent policy returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "f10f3f6864cc08b49f4e80d366a5862f", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 144, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"my_agent_policy\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 424, + "content": { + "mimeType": "application/json", + "size": 424, + "text": "{\"data\":{\"id\":\"4op-0bb-yom\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708206895,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-15T09:10:06.772Z", + "time": 816 + }, + { + "_id": "217dfe641f33003dee9d203ae51dfa29", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4op-0bb-yom" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-15T09:10:07.594Z", + "time": 494 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/frozen.json index 98fdd1e3c939..6624562c053f 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:44.167Z" +"2025-04-01T14:30:45.280Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/recording.har index 0c0edac25f7e..33ca4f7a4b2e 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_639435269/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "5ac51b84f3dc48591cb2aee7e669dc09", + "_id": "2c22f6b800572221bb82a94431d3f6f7", "_order": 0, "cache": {}, "request": { - "bodySize": 201, + "bodySize": 190, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 470, + "content": { + "mimeType": "application/json", + "size": 470, + "text": "{\"data\":{\"id\":\"mrs-qdn-jq8\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517845323,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:45.283Z", + "time": 427 + }, + { + "_id": "3362265e367b0482ae523fc0311cf28b", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 200, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == sh\",\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"mrs-qdn-jq8\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 194, + "bodySize": 128, "content": { "mimeType": "application/json", - "size": 194, - "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064` error: rule compilation error: field `sh` not found)\"]}" + "size": 128, + "text": "{\"errors\":[\"input_validation_error(Field 'name' is invalid: rule `my_agent_rule` error: multiple definition with the same ID)\"]}" }, "cookies": [], "headers": [ @@ -57,8 +110,50 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2024-04-23T17:57:44.174Z", - "time": 187 + "startedDateTime": "2025-04-01T14:30:45.742Z", + "time": 659 + }, + { + "_id": "a246d2606a96d40ba4855db945980300", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:46.405Z", + "time": 400 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/frozen.json index dd157e05e819..3ecb4331e9a1 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/frozen.json @@ -1 +1 @@ -"2024-05-22T16:22:22.200Z" +"2025-04-01T14:30:46.809Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/recording.har index e221b4123bef..2c99a1e4a0f6 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-CSM-Threats-Agent-rule-returns-OK-response_2579892377/recording.har @@ -8,11 +8,11 @@ }, "entries": [ { - "_id": "cb586cad63a8674d5f807a5bffb9811b", + "_id": "24980952e3272773d13a7a2db6d72809", "_order": 0, "cache": {}, "request": { - "bodySize": 227, + "bodySize": 182, "cookies": [], "headers": [ { @@ -26,23 +26,76 @@ "value": "application/json" } ], - "headersSize": 598, + "headersSize": 594, "httpVersion": "HTTP/1.1", "method": "POST", "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1716394942\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 462, + "content": { + "mimeType": "application/json", + "size": 462, + "text": "{\"data\":{\"id\":\"eeq-02h-jhh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517846856,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:46.811Z", + "time": 498 + }, + { + "_id": "2fb8bdf913e6e45fa56d91cb471a44fa", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 254, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 597, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policy_id\":\"eeq-02h-jhh\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 456, + "bodySize": 512, "content": { "mimeType": "application/json", - "size": 456, - "text": "{\"data\":{\"id\":\"pn4-mo8-u5r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716394942614,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1716394942\",\"updateDate\":1716394942614,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 512, + "text": "{\"data\":{\"id\":\"ree-4gw-dk6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517847344,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"updateDate\":1743517847344,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +110,53 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-05-22T16:22:22.209Z", - "time": 844 + "startedDateTime": "2025-04-01T14:30:47.315Z", + "time": 693 + }, + { + "_id": "2c9c987d573142d23375605a60a90870", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 545, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:48.013Z", + "time": 507 }, { - "_id": "af4f504ca69ce094030efe1c443177fa", + "_id": "e08a3d6ae3274f223453dc1acfbc3c36", "_order": 0, "cache": {}, "request": { @@ -74,11 +169,11 @@ "value": "*/*" } ], - "headersSize": 546, + "headersSize": 542, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pn4-mo8-u5r" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/eeq-02h-jhh" }, "response": { "bodySize": 0, @@ -99,8 +194,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-05-22T16:22:23.065Z", - "time": 724 + "startedDateTime": "2025-04-01T14:30:48.522Z", + "time": 387 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/frozen.json index a6c5a68d2d83..35156f12c416 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:45.044Z" +"2025-04-18T09:10:11.610Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/recording.har index a3f3139a6487..182720f507cb 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1665832305/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "8994593c4c978535429ff708d2b005d5", + "_id": "3ae8b90b9d2e30423defb6d96385b207", "_order": 0, "cache": {}, "request": { - "bodySize": 213, + "bodySize": 201, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 594, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 481, + "content": { + "mimeType": "application/json", + "size": 481, + "text": "{\"data\":{\"id\":\"byc-7rh-p5l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\",\"policyVersion\":\"1\",\"priority\":1000000002,\"ruleCount\":226,\"updateDate\":1744967411964,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-18T09:10:11.823Z", + "time": 568 + }, + { + "_id": "a201dc06069a389a992fd7d4af1e7d97", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 156, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\",\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 223, + "bodySize": 155, "content": { "mimeType": "application/json", - "size": 223, - "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}\n" + "size": 155, + "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n" }, "cookies": [], "headers": [ @@ -57,8 +110,50 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2024-04-23T17:57:45.048Z", - "time": 164 + "startedDateTime": "2025-04-18T09:10:12.398Z", + "time": 285 + }, + { + "_id": "078ed09b2e4a5af620a6254dc85646c3", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/byc-7rh-p5l" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-18T09:10:12.689Z", + "time": 540 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/frozen.json index 897e126b36d7..7800471144d1 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:45.232Z" +"2025-04-01T14:30:49.909Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/recording.har b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/recording.har index 5b7e39a56f00..7ac17dd5e432 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_1837785469/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "3f58a3dd9886b92d0186494e4cdb8179", + "_id": "7c285ff6b1ea26ec704d9b5f0246d02d", "_order": 0, "cache": {}, "request": { - "bodySize": 210, + "bodySize": 193, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 473, + "content": { + "mimeType": "application/json", + "size": 473, + "text": "{\"data\":{\"id\":\"4o4-2ha-t4b\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517849954,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:49.911Z", + "time": 322 + }, + { + "_id": "f29574c779d959252699b0bbd20ea20d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 221, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 638, + "bodySize": 671, "content": { "mimeType": "application/json", - "size": 638, - "text": "{\"data\":{\"id\":\"igj-qzb-9eq\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895065356,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895065356,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "size": 671, + "text": "{\"data\":{\"id\":\"amk-lsa-s1q\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1743517850483,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1743517850483,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -51,17 +104,17 @@ "value": "application/json" } ], - "headersSize": 654, + "headersSize": 655, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:45.234Z", - "time": 177 + "startedDateTime": "2025-04-01T14:30:50.238Z", + "time": 288 }, { - "_id": "0c1bd236ec0cdff617affc03ca098caf", + "_id": "213da5037db2f28257f9696487873321", "_order": 0, "cache": {}, "request": { @@ -78,7 +131,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/igj-qzb-9eq" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q" }, "response": { "bodySize": 0, @@ -88,14 +141,56 @@ }, "cookies": [], "headers": [], - "headersSize": 601, + "headersSize": 602, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:50.532Z", + "time": 99 + }, + { + "_id": "139ce589a272ef271fbf867fa4c6b67d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 542, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:45.428Z", - "time": 164 + "startedDateTime": "2025-04-01T14:30:50.634Z", + "time": 315 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/frozen.json new file mode 100644 index 000000000000..5422b2b67442 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:30:50.953Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/recording.har new file mode 100644 index 000000000000..529842c254b4 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3323845053/recording.har @@ -0,0 +1,57 @@ +{ + "log": { + "_recordingName": "CSM Threats/Delete a CSM Threats Agent policy returns \"Not Found\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "eb60bd34bda729d596091de8ced718cf", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 554, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id" + }, + "response": { + "bodySize": 49, + "content": { + "mimeType": "application/json", + "size": 49, + "text": "{\"errors\":[{\"title\":\"failed to delete policy\"}]}\n" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 404, + "statusText": "Not Found" + }, + "startedDateTime": "2025-04-01T14:30:50.955Z", + "time": 157 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/frozen.json new file mode 100644 index 000000000000..7f0922054a5c --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:30:51.116Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/recording.har new file mode 100644 index 000000000000..8ee243e06347 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-policy-returns-OK-response_477892956/recording.har @@ -0,0 +1,152 @@ +{ + "log": { + "_recordingName": "CSM Threats/Delete a CSM Threats Agent policy returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "0025e1185d2ca7666988d11ece091208", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 184, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 593, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 464, + "content": { + "mimeType": "application/json", + "size": 464, + "text": "{\"data\":{\"id\":\"794-4tf-osj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517851168,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:51.118Z", + "time": 346 + }, + { + "_id": "c0c40babba1ab8ef53def44216d37c4b", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 542, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:51.468Z", + "time": 415 + }, + { + "_id": "c0c40babba1ab8ef53def44216d37c4b", + "_order": 1, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj" + }, + "response": { + "bodySize": 49, + "content": { + "mimeType": "application/json", + "size": 49, + "text": "{\"errors\":[{\"title\":\"failed to delete policy\"}]}\n" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 404, + "statusText": "Not Found" + }, + "startedDateTime": "2025-04-01T14:30:51.890Z", + "time": 144 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/frozen.json index 73f008715b6e..345e7769be6a 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:45.602Z" +"2025-04-01T14:30:52.038Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/recording.har index 533d7bea3370..c39e6823ba25 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response_199236585/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "ceb83d3d046b71c142fb4beb5c1fae4a", + "_id": "37943dece34a41396fd639d539b08422", "_order": 0, "cache": {}, "request": { @@ -21,11 +21,11 @@ "value": "*/*" } ], - "headersSize": 546, + "headersSize": 555, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id" }, "response": { "bodySize": 47, @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:45.616Z", - "time": 91 + "startedDateTime": "2025-04-01T14:30:52.040Z", + "time": 87 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/frozen.json index 660b341ed282..c8b08e798a8c 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:45.727Z" +"2025-04-01T14:30:52.133Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/recording.har index 5a426daf7f4e..94c82bf56720 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-CSM-Threats-Agent-rule-returns-OK-response_3600969032/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "ee0179b35d7aff9ffc55c3742c3922ef", + "_id": "4f76bbc721ec50b0bee4961e511310a1", "_order": 0, "cache": {}, "request": { - "bodySize": 197, + "bodySize": 182, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 462, + "content": { + "mimeType": "application/json", + "size": 462, + "text": "{\"data\":{\"id\":\"kqm-fhb-eay\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517852178,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:52.135Z", + "time": 290 + }, + { + "_id": "1c8f6f2e7e2aa819ee4ec6a17d759a59", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 276, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1713895065\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policy_id\":\"kqm-fhb-eay\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 456, + "bodySize": 512, "content": { "mimeType": "application/json", - "size": 456, - "text": "{\"data\":{\"id\":\"r8q-52h-8r2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895065801,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1713895065\",\"updateDate\":1713895065801,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 512, + "text": "{\"data\":{\"id\":\"pjy-nkm-0wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517852458,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"updateDate\":1743517852458,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:45.741Z", - "time": 401 + "startedDateTime": "2025-04-01T14:30:52.429Z", + "time": 825 }, { - "_id": "a98fb6b31ebbc73d41566eb0a2fdcab5", + "_id": "051dd302ae694fc9b7e1b2374822608d", "_order": 0, "cache": {}, "request": { @@ -74,11 +127,16 @@ "value": "*/*" } ], - "headersSize": 546, + "headersSize": 568, "httpVersion": "HTTP/1.1", "method": "DELETE", - "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2" + "queryString": [ + { + "name": "policy_id", + "value": "kqm-fhb-eay" + } + ], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb?policy_id=kqm-fhb-eay" }, "response": { "bodySize": 0, @@ -99,12 +157,12 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:46.157Z", - "time": 383 + "startedDateTime": "2025-04-01T14:30:53.261Z", + "time": 633 }, { - "_id": "a98fb6b31ebbc73d41566eb0a2fdcab5", - "_order": 1, + "_id": "553271fe77cf080d8c01e84523cfab6b", + "_order": 0, "cache": {}, "request": { "bodySize": 0, @@ -120,7 +178,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb" }, "response": { "bodySize": 47, @@ -142,8 +200,50 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:46.553Z", - "time": 107 + "startedDateTime": "2025-04-01T14:30:53.898Z", + "time": 88 + }, + { + "_id": "10b0a06a54fa48aca1f69cf4e9e9ef1c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kqm-fhb-eay" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:53.991Z", + "time": 393 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/frozen.json index 62cecf40bb20..d8550c6f19d2 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:46.672Z" +"2025-04-01T14:30:54.389Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/recording.har index ecb60f89f921..8f1e8ad2d128 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1845725353/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "61e044746a7883ac958136cfc11f87f4", + "_id": "a1e7af54a2bd4cd0da9e410f5ec68aab", "_order": 0, "cache": {}, "request": { @@ -21,18 +21,18 @@ "value": "*/*" } ], - "headersSize": 574, + "headersSize": 583, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id" }, "response": { - "bodySize": 72, + "bodySize": 25, "content": { "mimeType": "application/json", - "size": 72, - "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n" + "size": 25, + "text": "{\"errors\":[\"Not found\"]}\n" }, "cookies": [], "headers": [ @@ -41,14 +41,14 @@ "value": "application/json" } ], - "headersSize": 653, + "headersSize": 630, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:46.679Z", - "time": 154 + "startedDateTime": "2025-04-01T14:30:54.391Z", + "time": 66 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/frozen.json index c9071bd921ab..70061a320f21 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:46.852Z" +"2025-04-18T09:10:13.237Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/recording.har b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/recording.har index cbed1e03cad3..3ab583d301e6 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_3551434632/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "087495b2e3d11cf31508673688587283", + "_id": "86ecfc4f12da3c05da2bf597071d54fe", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 636, + "bodySize": 688, "content": { "mimeType": "application/json", - "size": 636, - "text": "{\"data\":{\"id\":\"tlm-pl7-gkc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895066982,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895066982,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "size": 688, + "text": "{\"data\":{\"id\":\"ghk-tsf-neq\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967413434,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967413434,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:46.860Z", - "time": 168 + "startedDateTime": "2025-04-18T09:10:13.240Z", + "time": 246 }, { - "_id": "dd833ed596241df61aa3168cd6bc26d6", + "_id": "2f47c18e235cf53d4f7f57599b1dcec6", "_order": 0, "cache": {}, "request": { @@ -78,7 +78,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq" }, "response": { "bodySize": 0, @@ -94,11 +94,11 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:47.032Z", - "time": 157 + "startedDateTime": "2025-04-18T09:10:13.491Z", + "time": 178 }, { - "_id": "dd833ed596241df61aa3168cd6bc26d6", + "_id": "2f47c18e235cf53d4f7f57599b1dcec6", "_order": 1, "cache": {}, "request": { @@ -111,18 +111,18 @@ "value": "*/*" } ], - "headersSize": 574, + "headersSize": 573, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq" }, "response": { "bodySize": 72, "content": { "mimeType": "application/json", "size": 72, - "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=tlm-pl7-gkc)\"]}\n" + "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)\"]}\n" }, "cookies": [], "headers": [ @@ -137,8 +137,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:47.214Z", - "time": 143 + "startedDateTime": "2025-04-18T09:10:13.673Z", + "time": 256 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/frozen.json new file mode 100644 index 000000000000..e43a03ce40a1 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:30:54.462Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/recording.har new file mode 100644 index 000000000000..8f19e678cec5 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3666100356/recording.har @@ -0,0 +1,57 @@ +{ + "log": { + "_recordingName": "CSM Threats/Get a CSM Threats Agent policy returns \"Not Found\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "dd6eb83a4e910f0249db26a2e3076457", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + } + ], + "headersSize": 561, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id" + }, + "response": { + "bodySize": 34, + "content": { + "mimeType": "application/json", + "size": 34, + "text": "{\"errors\":[{\"title\":\"Not Found\"}]}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 404, + "statusText": "Not Found" + }, + "startedDateTime": "2025-04-01T14:30:54.464Z", + "time": 243 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/frozen.json new file mode 100644 index 000000000000..e6c019fa7796 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:30:54.711Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/recording.har new file mode 100644 index 000000000000..0bb1f6f8ad50 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-policy-returns-OK-response_986315271/recording.har @@ -0,0 +1,152 @@ +{ + "log": { + "_recordingName": "CSM Threats/Get a CSM Threats Agent policy returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "819fbd0e656d05701df58cdb4e34e693", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 181, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 461, + "content": { + "mimeType": "application/json", + "size": 461, + "text": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:54.713Z", + "time": 367 + }, + { + "_id": "f78656fc8bcec1053d974a2d06011032", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + } + ], + "headersSize": 550, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb" + }, + "response": { + "bodySize": 461, + "content": { + "mimeType": "application/json", + "size": 461, + "text": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:55.087Z", + "time": 173 + }, + { + "_id": "7c1f0e88a5c00171a9796268102a9b1c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:55.265Z", + "time": 481 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/frozen.json index 1775db7f3f6d..b636cba1d370 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:47.369Z" +"2025-04-01T14:30:55.749Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/recording.har index 31f242df2535..a8decf146a78 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response_460743364/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "5ff31f6e152f01dc8f2248d2ff5fd80d", + "_id": "e22ee5d87a99d8d51774a5113be6b1d8", "_order": 0, "cache": {}, "request": { @@ -21,11 +21,11 @@ "value": "application/json" } ], - "headersSize": 553, + "headersSize": 562, "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id" }, "response": { "bodySize": 44, @@ -47,8 +47,8 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:47.374Z", - "time": 165 + "startedDateTime": "2025-04-01T14:30:55.751Z", + "time": 311 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/frozen.json index 5e9307cd94bf..7f34cf0b55ca 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:47.555Z" +"2025-04-01T14:30:56.067Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/recording.har index c1149b3779a0..dcbd4b410dcf 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-CSM-Threats-Agent-rule-returns-OK-response_3077375687/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "cc39669865240fdd49df49b0c228f1f8", + "_id": "b3afdaf58519ae5683848974c6321350", "_order": 0, "cache": {}, "request": { - "bodySize": 194, + "bodySize": 179, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 459, + "content": { + "mimeType": "application/json", + "size": 459, + "text": "{\"data\":{\"id\":\"lxh-tyq-n9u\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517856115,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:56.068Z", + "time": 377 + }, + { + "_id": "27a6662f73926412b20ff83d031acdcf", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 273, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policy_id\":\"lxh-tyq-n9u\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 453, + "bodySize": 509, "content": { "mimeType": "application/json", - "size": 453, - "text": "{\"data\":{\"id\":\"6wy-t98-466\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895067605,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\",\"updateDate\":1713895067605,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 509, + "text": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856488,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856488,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -57,11 +110,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:47.561Z", - "time": 299 + "startedDateTime": "2025-04-01T14:30:56.450Z", + "time": 887 }, { - "_id": "1a7aea727e8f1be09bad453379878e35", + "_id": "9edf3fa7182239c2f6c8b4041c573e95", "_order": 0, "cache": {}, "request": { @@ -74,18 +127,23 @@ "value": "application/json" } ], - "headersSize": 553, + "headersSize": 575, "httpVersion": "HTTP/1.1", "method": "GET", - "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466" + "queryString": [ + { + "name": "policy_id", + "value": "lxh-tyq-n9u" + } + ], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm?policy_id=lxh-tyq-n9u" }, "response": { - "bodySize": 453, + "bodySize": 509, "content": { "mimeType": "application/json", - "size": 453, - "text": "{\"data\":{\"id\":\"6wy-t98-466\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895067000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\",\"updateDate\":1713895067000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 509, + "text": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -100,11 +158,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:47.865Z", - "time": 182 + "startedDateTime": "2025-04-01T14:30:57.343Z", + "time": 246 }, { - "_id": "af9c43e18724ef774edf814d6081c1ae", + "_id": "8721cb1ed70a2ceda636c8e94ceda016", "_order": 0, "cache": {}, "request": { @@ -121,7 +179,49 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:30:57.596Z", + "time": 549 + }, + { + "_id": "995c195079a6e4ab6918978d0ac9090d", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u" }, "response": { "bodySize": 0, @@ -142,8 +242,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:48.054Z", - "time": 389 + "startedDateTime": "2025-04-01T14:30:58.149Z", + "time": 297 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/frozen.json index 873cf6d49b55..dde08001ee5f 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:48.453Z" +"2025-04-01T14:30:58.452Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/recording.har index bb0537ff89d7..dfe908a27a1d 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_1248940224/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "8cf8a22551923ecc94cb1be118b4fdc2", + "_id": "58b0e4278b1a941f43740f548704a50d", "_order": 0, "cache": {}, "request": { @@ -21,18 +21,18 @@ "value": "application/json" } ], - "headersSize": 581, + "headersSize": 590, "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id" }, "response": { - "bodySize": 72, + "bodySize": 25, "content": { "mimeType": "application/json", - "size": 72, - "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n" + "size": 25, + "text": "{\"errors\":[\"Not found\"]}\n" }, "cookies": [], "headers": [ @@ -41,14 +41,14 @@ "value": "application/json" } ], - "headersSize": 653, + "headersSize": 630, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:48.466Z", - "time": 137 + "startedDateTime": "2025-04-01T14:30:58.454Z", + "time": 68 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/frozen.json index 039cace52e81..f9c4202684b5 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:48.613Z" +"2025-04-18T09:10:13.933Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/recording.har index 17c986564369..a1e9e5bec242 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_4051595395/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "0dec293b85d210dd119f35f568a5273f", + "_id": "396a5dc9132e919e9d88cf562a6e9d95", "_order": 0, "cache": {}, "request": { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 633, + "bodySize": 685, "content": { "mimeType": "application/json", - "size": 633, - "text": "{\"data\":{\"id\":\"ei4-rq6-ept\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895068731,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895068731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "size": 685, + "text": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -57,11 +57,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:48.618Z", - "time": 160 + "startedDateTime": "2025-04-18T09:10:13.957Z", + "time": 297 }, { - "_id": "e9d2fdc21ea886bd462b96d289388521", + "_id": "8d9f05eff28626ab9b616ec475d8c5a2", "_order": 0, "cache": {}, "request": { @@ -78,14 +78,14 @@ "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g" }, "response": { - "bodySize": 633, + "bodySize": 685, "content": { "mimeType": "application/json", - "size": 633, - "text": "{\"data\":{\"id\":\"ei4-rq6-ept\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895068731,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895068731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" + "size": 685, + "text": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -100,11 +100,11 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:48.785Z", - "time": 176 + "startedDateTime": "2025-04-18T09:10:14.259Z", + "time": 196 }, { - "_id": "86492460d3e575011f3218113b23cd8e", + "_id": "123e053092705bba2906395d131199f7", "_order": 0, "cache": {}, "request": { @@ -121,7 +121,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g" }, "response": { "bodySize": 0, @@ -137,8 +137,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:48.971Z", - "time": 161 + "startedDateTime": "2025-04-18T09:10:14.460Z", + "time": 202 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/frozen.json new file mode 100644 index 000000000000..457990ed8c5a --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:30:58.530Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/recording.har new file mode 100644 index 000000000000..92e0e8a140a0 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-policies-returns-OK-response_3772916195/recording.har @@ -0,0 +1,57 @@ +{ + "log": { + "_recordingName": "CSM Threats/Get all CSM Threats Agent policies returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "c11ab9892196f6ff9cd9f75438c46596", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + } + ], + "headersSize": 541, + "httpVersion": "HTTP/1.1", + "method": "GET", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 687, + "content": { + "mimeType": "application/json", + "size": 687, + "text": "{\"data\":[{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":1,\"enabled\":false,\"hostTags\":[],\"monitoringRulesCount\":418,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"53221\",\"priority\":1000000000,\"ruleCount\":419,\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.40.0-rc76\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:30:58.534Z", + "time": 221 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/frozen.json index 266ccb8846ac..f5f270cd2f52 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:49.136Z" +"2025-04-01T14:30:58.771Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/recording.har index 0ac93c88eb7b..8f11cfa2a9e9 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-CSM-Threats-Agent-rules-returns-OK-response_2462152744/recording.har @@ -28,11 +28,11 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 150108, + "bodySize": 256107, "content": { "mimeType": "application/json", - "size": 150108, - "text": "{\"data\":[{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"azure_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"base64_decode\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"certutil_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"common_net_intrusion_util\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compiler_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"crackmap_exec_executed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_registry_export\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_flags in [\\\"cpu-priority\\\", \\\"donate-level\\\", ~\\\"randomx-1gb-pages\\\"] || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_docker_socket\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_system_log\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_lsmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_whoami\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_wrmsr\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"executable_bit_added\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"gcp_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"hidden_file_executed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"interactive_shell_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_check_domain\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"iptables_egress_allowed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n\\u0026\\u0026 process.parent.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] \\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_msr_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kmod_list\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kubernetes_dns_enumeration\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\".*libpam.so.*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"libpam_ebpf_hook\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"looney_tunables_exploit\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"minidump_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_host_fs\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_file_download\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_unusual_request\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"network_sniffing_tool\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"offensive_k8s_tool\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"omigod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"open_msr_writes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"passwd_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"powershell_empire_uac_bypass\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"procdump_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-oyv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Processes were listed using the ps command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ps\\\" \\u0026\\u0026 exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] \\u0026\\u0026 process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] \\u0026\\u0026 process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ps_discovery\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_antidebug\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_injection\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] \\u0026\\u0026 open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_kubeconfig\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-rhk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"OS information was read from the /etc/lsb-release file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" \\u0026\\u0026 open.flags \\u0026 O_RDONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_release_info\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_sandbox_escape\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\CurrentVersion\\\\\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_service_runkey_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"rubeus_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 chdir.file.filesystem in [\\\"cgroup\\\", \\\"cgroup2\\\"] \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_leaky_fd\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sensitive_tracing\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"service_stop\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sharpup_tool_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_symlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_profile_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"\\n(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suid_file_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_bitsadmin_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.path !~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_dll_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_ntdsutil_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tty_shell_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_created_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"wmi_spawning_shell\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}}]}" + "size": 256107, + "text": "{\"data\":[{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4mc-0xr-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714264624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714264624\",\"updateDate\":1714264624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zu3-7yi-3w0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714696624\",\"updateDate\":1714696626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg2-lum-j2a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714783024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714783024\",\"updateDate\":1714783024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rsm-fam-pfp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714869424\",\"updateDate\":1714869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulx-voj-zk3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nio-59w-ip8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714927026000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714927026\",\"updateDate\":1714927026000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5zt-j5u-aqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715287024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715287024\",\"updateDate\":1715287024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k8w-brg-51l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715445424\",\"updateDate\":1715445426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eue-gqs-59v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715503024\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9wz-mgt-zkp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715546226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715546226\",\"updateDate\":1715546226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fii-ysi-7bu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715618226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715618224\",\"updateDate\":1715618226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hhl-9nk-8ls\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715819826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715819824\",\"updateDate\":1715819826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rc4-b53-3sj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715863024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715863024\",\"updateDate\":1715863024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w3d-qp8-3yb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716309424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716309424\",\"updateDate\":1716309424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cvn-qsw-ibn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716410225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716410224\",\"updateDate\":1716410225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vyd-2vb-tnk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738469890000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1738469890\",\"updateDate\":1738469890000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulc-hn1-cz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725295024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023\",\"updateDate\":1725295024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jbe-827-tq7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732768624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624\",\"updateDate\":1732768624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ezw-7rm-wca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735634224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224\",\"updateDate\":1735634224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p4n-ijm-zeu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714155721000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714155721\",\"updateDate\":1714155721000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"piq-bha-m6t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714279024\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rno-53m-mf3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714538225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714538225\",\"updateDate\":1714538225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bwj-n0m-ut5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714653425000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714653424\",\"updateDate\":1714653425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hk2-qrd-3jt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714667824\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zdz-ued-luw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714797424\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tf1-bgq-7bb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"35e-29w-qhu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715128624\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"iyj-haq-dvu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715373425\",\"updateDate\":1715373426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rgf-wo7-4fj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715402226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715402224\",\"updateDate\":1715402226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"stq-uwx-efd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715531824\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"i0b-hk0-7h3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715560625000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715560625\",\"updateDate\":1715560625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0zl-ilo-guv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716050224\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e7g-3t1-hpu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716352624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716352624\",\"updateDate\":1716352624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qoe-y42-hqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716554224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716554224\",\"updateDate\":1716554224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sic-1px-69u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717418225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1717418224\",\"updateDate\":1717418225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3kk-4rm-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718426224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1718426224\",\"updateDate\":1718426224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b79-xcg-63p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719059824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719059824\",\"updateDate\":1719059824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"veg-qf4-lgr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719967025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719967024\",\"updateDate\":1719967025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ukn-yjf-h6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719981423\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssm-zlm-vqh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720312626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1720312624\",\"updateDate\":1720312626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qba-1qm-uj5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721075824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721075824\",\"updateDate\":1721075824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uhw-kuq-ute\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721119025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721119024\",\"updateDate\":1721119025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ftd-d3e-byt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721666224\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9n1-l1g-u4k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721853424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721853423\",\"updateDate\":1721853424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4qm-ikt-fpr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721954224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721954223\",\"updateDate\":1721954224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d7t-4i4-tex\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722659826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1722659824\",\"updateDate\":1722659826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mda-uab-xow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723178226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1723178224\",\"updateDate\":1723178226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3cv-rwp-2t7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724215024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724215024\",\"updateDate\":1724215024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vvb-sfk-jn1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724647024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724647024\",\"updateDate\":1724647024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"li0-j5t-0hv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724848624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724848624\",\"updateDate\":1724848624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hlp-8dr-0i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725467825000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725467823\",\"updateDate\":1725467825000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xw4-uw8-mmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725885424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725885424\",\"updateDate\":1725885424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3gw-vkx-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728419826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1728419824\",\"updateDate\":1728419826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xxc-35o-apy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729427824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729427824\",\"updateDate\":1729427824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3hj-2t8-ydm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729787824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729787824\",\"updateDate\":1729787824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt8-od0-yxu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730205424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730205423\",\"updateDate\":1730205424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"svl-2s4-jd4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730450224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730450223\",\"updateDate\":1730450224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ycc-lv0-6oj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730939824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730939824\",\"updateDate\":1730939824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d2g-d0v-w1l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732019824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732019824\",\"updateDate\":1732019824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7s9-sfq-2km\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732552624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732552624\",\"updateDate\":1732552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tb2-3ij-eep\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732667824\",\"updateDate\":1732667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sfj-gky-roy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732869424\",\"updateDate\":1732869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sz5-kvy-3kd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732927024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732927024\",\"updateDate\":1732927024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"2vn-l1s-b0y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733013424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733013424\",\"updateDate\":1733013424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nco-423-hiu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733531824\",\"updateDate\":1733531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l57-d8u-edg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733546224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733546224\",\"updateDate\":1733546224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4sz-cc7-ukd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733560627000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733560624\",\"updateDate\":1733560627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o9g-ptk-2zv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733575024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733575024\",\"updateDate\":1733575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg0-u09-xir\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733603824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733603824\",\"updateDate\":1733603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fog-8k1-fzi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733704624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733704624\",\"updateDate\":1733704624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wzz-ni8-56v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733963824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733963824\",\"updateDate\":1733963824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mdn-0hh-uw1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734050226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734050223\",\"updateDate\":1734050226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ox-06e-x4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734093424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734093423\",\"updateDate\":1734093424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uyv-a9k-8l7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734395826000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734395824\",\"updateDate\":1734395826000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5b4-k0v-rzw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734424624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734424623\",\"updateDate\":1734424624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w60-a8d-qrd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734439024000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734439023\",\"updateDate\":1734439024000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zsr-y94-6u2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734482226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734482224\",\"updateDate\":1734482226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0t6-uce-ee0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734899824\",\"updateDate\":1734899824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fiw-wuv-ueg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734914224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734914224\",\"updateDate\":1734914224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n8l-rby-b42\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735072624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735072624\",\"updateDate\":1735072624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v14-hvg-0fd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735216626000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735216624\",\"updateDate\":1735216626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"shf-bur-1id\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735288624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735288624\",\"updateDate\":1735288624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"18r-273-a6u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735547824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735547824\",\"updateDate\":1735547824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ys-tf8-u32\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735562224\",\"updateDate\":1735562224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ej-lz6-3iy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735648624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735648624\",\"updateDate\":1735648624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"981-x7o-izo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735749424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735749424\",\"updateDate\":1735749424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"897-56j-4uj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735907824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735907823\",\"updateDate\":1735907824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f5p-men-xz3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735994224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735994224\",\"updateDate\":1735994224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wt2-84b-uy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737433133000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1737433133\",\"updateDate\":1737433133000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"269-p6y-i3p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742473183000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1742473182\",\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vxv-90c-vm4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rta-b8v-4uf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714322223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222\",\"updateDate\":1714322224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qo2-qin-6hg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714351023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022\",\"updateDate\":1714351024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aoo-snu-t5u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714423023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023\",\"updateDate\":1714423024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vsk-ewy-s83\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823\",\"updateDate\":1714451824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o4r-6tp-yk0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714466223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223\",\"updateDate\":1714466224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"710-xzg-ays\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714480623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623\",\"updateDate\":1714480624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tjr-ib4-gya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714509423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423\",\"updateDate\":1714509424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yep-euy-ttp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714552623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623\",\"updateDate\":1714552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ps4-63s-bzc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714567023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023\",\"updateDate\":1714567024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kax-qcg-qu0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714581423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423\",\"updateDate\":1714581424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"245-ynt-xcy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223\",\"updateDate\":1714610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1m6-dg0-lq9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714624623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623\",\"updateDate\":1714624624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xf-404-qez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e6l-qo1-y2e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714682223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223\",\"updateDate\":1714682224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k95-kl4-jxt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623\",\"updateDate\":1714696627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"es7-rhv-nra\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"syl-o29-0dq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714826223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223\",\"updateDate\":1714826223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7sd-d1r-ts5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714840623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622\",\"updateDate\":1714840624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"97d-p9d-x1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714941423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422\",\"updateDate\":1714941424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mgl-xtg-ctl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715027823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822\",\"updateDate\":1715027824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a9f-o95-atg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rjm-biu-bqq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622\",\"updateDate\":1715272624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nor-y5a-3sn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422\",\"updateDate\":1715373424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4fo-giq-5f8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715416623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622\",\"updateDate\":1715416624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"c79-8dg-klx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422\",\"updateDate\":1715445424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f4p-2wj-hrf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715459823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822\",\"updateDate\":1715459824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bou-hvm-24h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715474223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222\",\"updateDate\":1715474224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lf1-s8g-yf7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"krx-co0-pz2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uqg-z0t-83n\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715575023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022\",\"updateDate\":1715575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kid-vkk-fj9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715603823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822\",\"updateDate\":1715603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"h4n-yuq-2mp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715632623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622\",\"updateDate\":1715632624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ocv-we5-g5y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422\",\"updateDate\":1715661423000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mzh-gda-c24\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715762223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222\",\"updateDate\":1715762224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mtg-s1f-xy5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6ak-6po-dd6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716640623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622\",\"updateDate\":1716640624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5rb-4q9-p5g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716813423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422\",\"updateDate\":1716813424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b7w-xgg-ocq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717130223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222\",\"updateDate\":1717130226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1l2-7qh-mfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717432623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622\",\"updateDate\":1717432626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"m77-qgu-c48\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717677423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422\",\"updateDate\":1717677424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f2b-qds-3f4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718815023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022\",\"updateDate\":1718815024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xh4-cv2-cfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719031023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022\",\"updateDate\":1719031024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fxe-inc-9zj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719938223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222\",\"updateDate\":1719938225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pb3-26n-452\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hgr-nny-7zr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720471023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022\",\"updateDate\":1720471024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wvg-hbj-6o2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720600623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622\",\"updateDate\":1720600624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ji-2p2-v00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721248623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623\",\"updateDate\":1721248625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dou-40j-cpw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721378223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223\",\"updateDate\":1721378224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qd9-39s-51s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"g9j-hhf-7at\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722703023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023\",\"updateDate\":1722703024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybg-c9d-29b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723034223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223\",\"updateDate\":1723034224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hsg-toh-i57\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223\",\"updateDate\":1723610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tiy-95c-mkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423\",\"updateDate\":1723797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7rw-grx-l7u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726331823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822\",\"updateDate\":1726331823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k1r-tva-i6e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1727829423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422\",\"updateDate\":1727829425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4bk-eaa-j5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728664623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622\",\"updateDate\":1728664623000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qk2-gkn-517\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730162223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223\",\"updateDate\":1730162225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybl-tp8-aab\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730263023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022\",\"updateDate\":1730263025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xd-vam-hd2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730479023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022\",\"updateDate\":1730479024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ro3-z56-52j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732221423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423\",\"updateDate\":1732221424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ay-9ve-3i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822\",\"updateDate\":1732451823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a66-2qy-xwe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622\",\"updateDate\":1733128625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9of-ebc-ypn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733143023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022\",\"updateDate\":1733143023000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b68-yq9-x3q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733200623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622\",\"updateDate\":1733200625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ev9-rxn-om1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622\",\"updateDate\":1733272626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gds-0mc-sle\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733330223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222\",\"updateDate\":1733330225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rwf-5af-jaw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733618223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222\",\"updateDate\":1733618223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z2v-n54-g9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422\",\"updateDate\":1733661424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vma-z5w-bi9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734179823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822\",\"updateDate\":1734179825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ya9-48i-611\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734496623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623\",\"updateDate\":1734496625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l9m-5ce-g9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734525423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422\",\"updateDate\":1734525423000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kbx-ylg-k86\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734597423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422\",\"updateDate\":1734597424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rec-v3q-e1c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734770223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223\",\"updateDate\":1734770227000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tr5-g9p-4jx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734799023000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023\",\"updateDate\":1734799025000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tps-9zv-vpp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823\",\"updateDate\":1734899825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0rc-s4t-d0f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223\",\"updateDate\":1735562225000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ekr-3xj-8yj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735619823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823\",\"updateDate\":1735619825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p6o-t98-nm1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735691823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823\",\"updateDate\":1735691824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nue-wxi-y3i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735720623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623\",\"updateDate\":1735720626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w95-d3h-c3r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735864623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622\",\"updateDate\":1735864625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6w8-3xn-j4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736066223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222\",\"updateDate\":1736066224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hcr-3py-6it\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736807340000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340\",\"updateDate\":1736807342000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"00d-kfn-fwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740025013000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013\",\"updateDate\":1740025019000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ceu-3h6-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740269813000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813\",\"updateDate\":1740269814000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v9x-9ib-tr7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737288363000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"im a rule\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"qljifimbbh\",\"updateDate\":1737288363000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ast-isd-tty\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715645381000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1715645381\",\"updateDate\":1715645381000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9l7-am7-hy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736986169000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1736986169\",\"updateDate\":1736986169000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tw0-y2e-9wf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738627773000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1738627773\",\"updateDate\":1738627773000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"cdy-cvp-oqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728617680000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679\",\"updateDate\":1728617680000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tth-j42-vc4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732591470000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469\",\"updateDate\":1732591470000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"73h-yo0-427\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725240870000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869\",\"updateDate\":1725240870000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ohq-oxe-jb4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726883002000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002\",\"updateDate\":1726883002000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"912-lu2-2sg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1731203077000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077\",\"updateDate\":1731203077000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"5c8-aij-182\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720156180000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustgetacsmthreatsagentrulereturnsokresponse1720156180\",\"updateDate\":1720156180000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5jy-8qa-vwx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724216976000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976\",\"updateDate\":1724216976000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"pz7-rvb-ckm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734692969000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969\",\"updateDate\":1734692970000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ctc-pux-luh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737951387000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387\",\"updateDate\":1737951389000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v64-qmf-tal\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740543488000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488\",\"updateDate\":1740543488000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_cli_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"azure_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"base64_decode\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"certutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"common_net_intrusion_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compiler_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"crackmap_exec_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_registry_export\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_windows_files_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cups_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_docker_socket\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"debugfs_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_system_log\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"devshm_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_lsmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_whoami\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_wrmsr\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"executable_bit_added\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"file_sync_exfil\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"find_credentials\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"gcp_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"hidden_file_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"interactive_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_check_domain\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"iptables_egress_allowed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"irc_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_msr_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kmod_list\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"known_dll_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kubernetes_dns_enumeration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"libpam_ebpf_hook\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"looney_tunables_exploit\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"minidump_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"modified_file_requesting_imds_creds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_host_fs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_file_download\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_unusual_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"netcat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"network_sniffing_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsenter_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"offensive_k8s_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"omigod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"open_msr_writes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"openssl_backdoor\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"overwrite_entrypoint\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"p2pinfect_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"passwd_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible perl bind shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"]) || (exec.args in [~\\\"*/bin/sh*\\\", ~\\\"*/bin/bash*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"perl_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"php_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"php_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"powershell_empire_uac_bypass\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"procdump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_antidebug\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_injection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\\\"] \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_kubeconfig\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_sandbox_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_hives_file_path_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_service_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"release_agent_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"rubeus_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_leaky_fd\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sensitive_tracing\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"service_stop\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sharpup_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_symlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_net_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_profile_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"socat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_nonstandard_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_outbound_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suid_file_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_bitsadmin_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_dll_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_ntdsutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tty_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"udev_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"unshare_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_created_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webapp_imds_V1_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webdriver_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_boot_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_explorer_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_hosts_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_security_essentials_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_update_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"winlogon_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"wmi_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}" }, "cookies": [], "headers": [ @@ -47,8 +47,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:49.137Z", - "time": 190 + "startedDateTime": "2025-04-01T14:30:58.778Z", + "time": 180 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/frozen.json index ae445347b22b..cf85493520e6 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:49.344Z" +"2025-04-01T14:30:58.973Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/recording.har index 46ef32e4d0f4..5145711d7aff 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response_2201921436/recording.har @@ -7,59 +7,6 @@ "version": "6.0.5" }, "entries": [ - { - "_id": "7621ec8a3279e91fe81099cc3743d9c9", - "_order": 0, - "cache": {}, - "request": { - "bodySize": 208, - "cookies": [], - "headers": [ - { - "_fromType": "array", - "name": "accept", - "value": "application/json" - }, - { - "_fromType": "array", - "name": "content-type", - "value": "application/json" - } - ], - "headersSize": 626, - "httpVersion": "HTTP/1.1", - "method": "POST", - "postData": { - "mimeType": "application/json", - "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\"},\"type\":\"agent_rule\"}}" - }, - "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" - }, - "response": { - "bodySize": 636, - "content": { - "mimeType": "application/json", - "size": 636, - "text": "{\"data\":{\"id\":\"sk6-sni-wfh\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895069454,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895069454,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n" - }, - "cookies": [], - "headers": [ - { - "name": "content-type", - "value": "application/json" - } - ], - "headersSize": 654, - "httpVersion": "HTTP/1.1", - "redirectURL": "", - "status": 200, - "statusText": "OK" - }, - "startedDateTime": "2024-04-23T17:57:49.346Z", - "time": 158 - }, { "_id": "cd6f56ab0bb26cf99ca43ceb6ee894b8", "_order": 0, @@ -81,11 +28,11 @@ "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" }, "response": { - "bodySize": 262336, + "bodySize": 271895, "content": { "mimeType": "application/json", - "size": 262336, - "text": "{\"data\":[{\"id\":\"sk6-sni-wfh\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895069454,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895069454,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zfc-g0g-a8x\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_LPRxi\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pae-rpt-yni\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_CpDMZ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jwu-xbf-ic5\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_HfYXr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uew-oxg-b86\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_Tjzvu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wyn-ib7-f7o\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_fWORB\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mwk-g74-lbd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_XcxFr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rqa-io7-fwn\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bKkuv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n1x-qsa-p53\",\"attributes\":{\"version\":1,\"name\":\"windows_cryptominer_process\",\"description\":\"A cryptominer was potentially executed\",\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1712079129574,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rws-z9b-qjv\",\"attributes\":{\"version\":1,\"name\":\"ransomware_note\",\"description\":\"Possible ransomware note created under common user directories\",\"expression\":\"open.flags & O_CREAT > 0\\n&& open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n&& open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] && open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644650371,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pqp-0vs-cmu\",\"attributes\":{\"version\":1,\"name\":\"ssh_it_tool_config_write\",\"description\":\"The configuration directory for an ssh worm\",\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644642969,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tkp-w9m-vzp\",\"attributes\":{\"version\":1,\"name\":\"safeboot_modification\",\"description\":\"Safeboot registry modified\",\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644635093,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8be-hej-nf2\",\"attributes\":{\"version\":3,\"name\":\"ps_discovery\",\"description\":\"Processes were listed using the ps command\",\"expression\":\"exec.comm == \\\"ps\\\" && exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] && process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] && process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644627589,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wn9-9vf-8be\",\"attributes\":{\"version\":1,\"name\":\"mount_proc_hide\",\"description\":\"Process hidden using mount\",\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644623109,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"upj-muh-hms\",\"attributes\":{\"version\":2,\"name\":\"chatroom_request\",\"description\":\"A DNS request was made for a chatroom domain\",\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1711644612626,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gnz-81e-6lg\",\"attributes\":{\"version\":1,\"name\":\"cryptominer_envs\",\"description\":\"Process environment variables match cryptocurrency miner\",\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644602654,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7da-gwx-c3l\",\"attributes\":{\"version\":2,\"name\":\"auditctl_usage\",\"description\":\"The auditctl command was used to modify auditd\",\"expression\":\"exec.file.name == \\\"auditctl\\\" && exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644592613,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8jg-xym-vqz\",\"attributes\":{\"version\":1,\"name\":\"jupyter_shell_execution\",\"description\":\"A Jupyter notebook executed a shell\",\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) && process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644590883,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9ih-87r-xrp\",\"attributes\":{\"version\":1,\"name\":\"registry_runkey_modified\",\"description\":\"A Registry runkey has been modified\",\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644584412,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"msb-ai6-ua5\",\"attributes\":{\"version\":2,\"name\":\"tunnel_traffic\",\"description\":\"Tunneling or port forwarding tool used\",\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") && process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] && process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] && process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" && process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" && process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] && process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644574925,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6fr-csu-axm\",\"attributes\":{\"version\":7,\"name\":\"k8s_pod_service_account_token_accessed\",\"description\":\"The Kubernetes pod service account token was accessed\",\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] && process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644571787,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"30s-pi8-9b4\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a9q-iyx-gfu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hlq-w7y-5tg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"lj4-ina-ue2\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"qlz-mcu-d2k\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bmx-go6-0lz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bk0-mpb-ii8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0xw-wbm-pel\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"nvt-eoh-yiz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dc5-hba-20b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"asb-kqf-vex\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yzx-ia6-bdh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uo-x9p-tmb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"kan-5ki-wau\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ggb-h3r-t7d\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"y4n-8gx-m3n\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xsf-ugy-cfq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"btr-btz-zif\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"jnw-ija-az5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"6v0-shq-8gm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yrv-svq-9nz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9s9-wui-t8c\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"krm-ssv-tn5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"uiu-6vz-z2h\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"eej-oup-jwu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ltv-fla-wb0\",\"attributes\":{\"version\":1,\"name\":\"ntds_in_commandline\",\"description\":\"NTDS file referenced in commandline\",\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"uuf-w3c-u9q\",\"attributes\":{\"version\":1,\"name\":\"scheduled_task_creation\",\"description\":\"A scheduled task was created\",\"expression\":\"exec.file.name in [\\\"at.exe\\\",\\\"schtasks.exe\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nyc-gfz-yr5\",\"attributes\":{\"version\":5,\"name\":\"nsswitch_conf_mod_chown\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1704404477785,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bm8-j5w-xfv\",\"attributes\":{\"version\":3,\"name\":\"suspicious_suid_execution\",\"description\":\"Recently written or modified suid file has been executed\",\"expression\":\"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \\\"\\\" && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404469455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"phy-tco-k7w\",\"attributes\":{\"version\":6,\"name\":\"database_shell_execution\",\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n!(process.parent.file.name == \\\"initdb\\\" &&\\nexec.args == \\\"-c locale -a\\\") &&\\n!(process.parent.file.name == \\\"postgres\\\" &&\\nexec.args == ~\\\"*pg_wal*\\\")\",\"category\":\"Process Activity\",\"creationDate\":1617722069155,\"updateDate\":1704404453620,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7x1-glr-ofl\",\"attributes\":{\"version\":2,\"name\":\"credential_modified_open_v2\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1704404453617,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jjg-cwd-bi8\",\"attributes\":{\"version\":2,\"name\":\"pci_11_5_critical_binaries_open_v2\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1704404449335,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqb-wq9-xzq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_jcvqK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"sqx-azd-ia2\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ivMAv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"83g-jde-hyc\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hyg-8q3-gme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bn3-we8-cxn\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"goh-6ij-cpa\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"he7-cho-9th\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"pj5-9wo-0ny\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dmd-ens-omw\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"8ft-wcs-sok\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-fm3-ilm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cxv-wyz-udh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"7ro-vjj-hqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uf-mai-edh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"e2t-sos-sgs\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"joz-phu-bj6\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9gx-e5x-wxl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cmg-7ok-iws\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"fc2-mmz-xme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cw4-gei-lqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"djb-5it-syy\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"2be-cfa-xhr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5dp-tcj-tbm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a0m-zaf-0a8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"erx-pyz-xft\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ydh-fsm-slz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5pp-60h-keq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xyn-fkc-osi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"llg-x6t-jjq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"q1s-ejx-xq3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"zw4-cad-dro\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rik-8jl-7nr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"vih-vom-ryl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"mhl-gkn-bun\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_unlink\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699614659146,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"j3f-cie-47b\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_from_memory\",\"description\":\"A kernel module was loaded from memory\",\"expression\":\"load_module.loaded_from_memory == true\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718630,\"updateDate\":1699614659145,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"my1-vln-8fq\",\"attributes\":{\"version\":3,\"name\":\"cryptominer_args\",\"description\":\"A process launched with arguments associated with cryptominers\",\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614656177,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"us6-p6v-hbj\",\"attributes\":{\"version\":2,\"name\":\"tar_execution\",\"description\":\"Tar archive created\",\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" && exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614655670,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vky-y2i-mvh\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution_parent\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.parent.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614653571,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohe-vlf-t2h\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chown\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1699614645120,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"abo-w0g-emz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yyr-62t-pwg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"s87-olo-akk\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hqc-ilw-6pg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5ik-iyy-ry4\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0mj-ptm-mcq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"awr-mtg-lce\",\"attributes\":{\"version\":1,\"name\":\"offensive_k8s_tool\",\"description\":\"A known kubernetes pentesting tool has been executed\",\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] && (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699605598275,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qng-psi-j15\",\"attributes\":{\"version\":5,\"name\":\"runc_modification\",\"description\":\"The runc binary was modified in a non-standard way\",\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":1627392837049,\"updateDate\":1699605592780,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vlh-msh-elx\",\"attributes\":{\"version\":1,\"name\":\"redis_save_module\",\"description\":\"Redis module has been created\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) && process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1699605590262,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"i0s-yb1-hnl\",\"attributes\":{\"version\":4,\"name\":\"net_util_exfiltration\",\"description\":\"Exfiltration attempt via network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699605585597,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki7-koc-icf\",\"attributes\":{\"version\":2,\"name\":\"apparmor_modified_tty\",\"description\":\"An AppArmor profile was modified in an interactive session\",\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] && exec.tty_name !=\\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836162,\"updateDate\":1699605581360,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kzh-5hn-edg\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chmod\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605577106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rm1-b8h-cec\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_link\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605575176,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zk5-jeo-579\",\"attributes\":{\"version\":2,\"name\":\"rc_scripts_modified\",\"description\":\"RC scripts modified\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1699605566454,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"je9-er4-njy\",\"attributes\":{\"version\":2,\"name\":\"selinux_disable_enforcement\",\"description\":\"SELinux enforcement status was disabled\",\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] && process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1635332067172,\"updateDate\":1699605560892,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yly-big-wfq\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chown\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605558253,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6ef-efv-07c\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_utimes\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605550430,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"1vg-wvn-jeo\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_rename\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605548906,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"332-1wp-nhi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pn7-9wx-enb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zag-uxd-4rh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gj1-f5n-atq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xoa-393-gtb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wib-odd-eos\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zi0-hgn-9ec\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"oce-aqj-x6b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cdt-p7e-q1b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wgo-mps-djd\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"odr-ipk-wvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nb1-dkb-bwz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t2g-qma-f5b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pwg-71z-aob\",\"attributes\":{\"version\":1,\"name\":\"ssl_certificate_tampering_open_v2\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\\n&& container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748504240,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zuq-yfd-hun\",\"attributes\":{\"version\":1,\"name\":\"deploy_priv_container\",\"description\":\"A privileged container was created\",\"expression\":\"exec.file.name != \\\"\\\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748488881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ayp-cd9-j3f\",\"attributes\":{\"version\":1,\"name\":\"network_sniffing_tool\",\"description\":\"Local account groups were enumerated after container start up\",\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748485348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"x3k-0en-bhm\",\"attributes\":{\"version\":1,\"name\":\"ssh_authorized_keys_open_v2\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748480895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kmx-s3s-htb\",\"attributes\":{\"version\":1,\"name\":\"nsswitch_conf_mod_open_v2\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748480617,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdh-b1k-i0e\",\"attributes\":{\"version\":1,\"name\":\"suid_file_execution\",\"description\":\"a SUID file was executed\",\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \\\"/usr/bin/sudo\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748479473,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqu-01q-fmr\",\"attributes\":{\"version\":1,\"name\":\"net_util_in_container_v2\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] && container.created_at > 180s\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748479210,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"igw-lex-dzw\",\"attributes\":{\"version\":1,\"name\":\"hidden_file_executed\",\"description\":\"A hidden file was executed in a suspicious folder\",\"expression\":\"exec.file.name =~ \\\".*\\\" && exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748474266,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ixh-tff-n0g\",\"attributes\":{\"version\":1,\"name\":\"shell_profile_modification\",\"description\":\"Shell profile was modified\",\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748474208,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"84k-f4f-yx8\",\"attributes\":{\"version\":4,\"name\":\"python_cli_code\",\"description\":\"Python code was provided on the command line\",\"expression\":\"exec.file.name == ~\\\"python*\\\" && exec.args_flags in [\\\"c\\\"] && exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", \\\"*-c*/bash*\\\", \\\"*-c*/bin/sh*\\\", \\\"*-c*pty.spawn*\\\"] && exec.args !~ \\\"*setuptools*\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748470573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-ylu-udm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tfj-qbi-njb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"otj-idk-ece\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"l88-cpw-jvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kcw-scc-5ve\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lg7-iv9-wts\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_utimes\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684185006444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lxo-jgz-gtv\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chown\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684185001787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vu4-g2z-6yx\",\"attributes\":{\"version\":1,\"name\":\"user_deleted_tty\",\"description\":\"A user was deleted via an interactive session\",\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684185000708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"dgj-0mh-asf\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_unlink\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184996909,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6t0-pxf-oag\",\"attributes\":{\"version\":1,\"name\":\"curl_docker_socket\",\"description\":\"The Docker socket was referenced in a cURL command\",\"expression\":\"exec.file.name == \\\"curl\\\" && exec.args_flags in [\\\"unix-socket\\\"] && exec.args in [\\\"*docker.sock*\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184996292,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"07x-ilo-vbw\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_rename\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184995498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vbb-8oz-uj8\",\"attributes\":{\"version\":1,\"name\":\"read_release_info\",\"description\":\"OS information was read from the /etc/lsb-release file\",\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" && open.flags & O_RDONLY > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184994303,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hxb-abz-bnu\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chmod\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184993817,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wxp-zv6-mdg\",\"attributes\":{\"version\":1,\"name\":\"kmod_list\",\"description\":\"Kernel modules were listed using the kmod command\",\"expression\":\"exec.comm == \\\"kmod\\\" && exec.args in [~\\\"*list*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184992493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0on-nzp-luo\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_open\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"\\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n(open.file.path == \\\"/etc/sudoers\\\")) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184992340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rsp-g6i-jdi\",\"attributes\":{\"version\":1,\"name\":\"service_stop\",\"description\":\"systemctl used to stop a service\",\"expression\":\"exec.file.name == \\\"systemctl\\\" && exec.args in [~\\\"*stop*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184991238,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"d5p-vk6-w0f\",\"attributes\":{\"version\":1,\"name\":\"exec_lsmod\",\"description\":\"Kernel modules were listed using the lsmod command\",\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184990877,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ich-3ke-cor\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_link\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184985910,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zdy-kcq-q0v\",\"attributes\":{\"version\":1,\"name\":\"read_kubeconfig\",\"description\":\"The kubeconfig file was accessed\",\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184984191,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yij-lei-ykx\",\"attributes\":{\"version\":1,\"name\":\"exec_whoami\",\"description\":\"The whoami command was executed\",\"expression\":\"exec.comm == \\\"whoami\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184982050,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fjh-jmi-fbi\",\"attributes\":{\"version\":1,\"name\":\"auditd_rule_file_modified\",\"description\":\"The auditd rules file was modified without using auditctl\",\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490457848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"div-3ym-esz\",\"attributes\":{\"version\":1,\"name\":\"auditd_config_modified\",\"description\":\"The auditd configuration file was modified without using auditctl\",\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490453830,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"swo-jyw-vtb\",\"attributes\":{\"version\":5,\"name\":\"aws_eks_service_account_token_accessed\",\"description\":\"The AWS EKS service account token was accessed\",\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490453789,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2p0-3i2-b4y\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_open\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490451189,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ybu-yya-acz\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chmod\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.mode != chmod.file.destination.mode\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490448291,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kek-yib-peb\",\"attributes\":{\"version\":2,\"name\":\"shell_history_deleted\",\"description\":\"Shell History was Deleted\",\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") && process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490445819,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"w07-amm-bxr\",\"attributes\":{\"version\":10,\"name\":\"ssl_certificate_tampering_utimes\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490443753,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pti-xku-k7y\",\"attributes\":{\"version\":3,\"name\":\"shell_history_truncated\",\"description\":\"Shell History was Deleted\",\"expression\":\"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" && open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] && process.file.name == \\\"truncate\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490441112,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jin-icc-lpi\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_unlink\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490440557,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aby-cmp-yrd\",\"attributes\":{\"version\":2,\"name\":\"dynamic_linker_config_write\",\"description\":\"A process wrote to a dynamic linker config file\",\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", \\\"/etc/ld.so.conf.d/*.conf\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490436787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7nq-ugi-gu1\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_link\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.name !~ \\\"runc*\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490436302,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qzs-yvl-f4t\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_rename\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490435881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9hn-ukg-ek1\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ulc-8ym-1ch\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zja-jqt-rpm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"2ov-h11-m4w\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"shb-0xv-eib\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"psp-nbn-dtg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mcq-6by-989\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tci-5f7-cis\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mey-lit-gzs\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4ve-rws-nw0\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9aa-y0q-rrc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tvd-3p1-cai\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"asy-mod-zmt\",\"attributes\":{\"version\":5,\"name\":\"user_created_tty\",\"description\":\"A user was created via an interactive session\",\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && exec.args_flags not in [\\\"D\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1627392836979,\"updateDate\":1677793421528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rek-wb4-s7y\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_rename\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793418528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"4fh-bb7-747\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chmod\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793414173,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yiy-mba-pny\",\"attributes\":{\"version\":5,\"name\":\"common_net_intrusion_util\",\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] && exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1617722067554,\"updateDate\":1677793413474,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3tj-btx-kvo\",\"attributes\":{\"version\":5,\"name\":\"package_management_in_container\",\"description\":\"Package management was detected in a container\",\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722067648,\"updateDate\":1677793413044,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"oio-i4o-xzw\",\"attributes\":{\"version\":1,\"name\":\"tty_shell_in_container\",\"description\":\"A shell with a TTY was executed in a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && process.tty_name != \\\"\\\" && process.container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1677793412844,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qdc-oqx-zsx\",\"attributes\":{\"version\":8,\"name\":\"systemd_modification_chown\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793412379,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pwh-omk-qrr\",\"attributes\":{\"version\":3,\"name\":\"new_binary_execution_in_container\",\"description\":\"A container executed a new binary not found in the container image\",\"expression\":\"container.id != \\\"\\\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1652129906455,\"updateDate\":1677793412378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bgs-kbk-xkh\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_link\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793412375,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tmh-now-e61\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_open\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1677793410974,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kxs-kt6-5gt\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_unlink\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793406609,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohp-ags-xpk\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_utimes\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1677793405837,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"t8w-eul-chf\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_utimes\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793405627,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ay7-jkz-rda\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_unlink\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793404797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fpw-paa-smb\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_utimes\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793402985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"c4t-pxu-ixk\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_unlink\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793402725,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ec9-vff-7ni\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_link\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793401708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"r5z-tke-sjm\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_link\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793401181,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"eoy-4fe-q7q\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chown\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793399502,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cd0-w8q-vl4\",\"attributes\":{\"version\":11,\"name\":\"kernel_module_chown\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793397722,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bw8-80r-qih\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_BAiZP\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mpb-1rj-dv6\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_rename\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793394010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ac4-asc-qi4\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_rename\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793391290,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gtx-vpl-ror\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_lszUX\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xye-pfo-y0r\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_open\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1674486423764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cmu-g58-cau\",\"attributes\":{\"version\":6,\"name\":\"cron_at_job_creation_rename\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486423628,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sna-hgh-vo4\",\"attributes\":{\"version\":3,\"name\":\"dynamic_linker_config_unlink\",\"description\":\"A process unlinked a dynamic linker config file\",\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1674486422738,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"efc-svz-7hu\",\"attributes\":{\"version\":1,\"name\":\"potential_web_shell_parent\",\"description\":\"A web application spawned a shell or shell utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1674486413493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tna-ty5-e7c\",\"attributes\":{\"version\":1,\"name\":\"mount_host_fs\",\"description\":\"The host file system was mounted in a container\",\"expression\":\"mount.source.path == \\\"/\\\" && mount.fs_type != \\\"overlay\\\" && container.id != \\\"\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1674486412444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygi-ozn-m5d\",\"attributes\":{\"version\":1,\"name\":\"memfd_create\",\"description\":\"memfd object created\",\"expression\":\"exec.file.name =~ \\\"memfd*\\\" && exec.file.path == \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1674486411993,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nlp-lzc-rcf\",\"attributes\":{\"version\":5,\"name\":\"systemd_modification_open\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"updateDate\":1674486408888,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"avt-p2e-fyc\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_chmod\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1674486407158,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ipa-v3l-kt6\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chmod\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.file.destination.mode != chmod.file.mode\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406983,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3xl-qds-f0e\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chown\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406776,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0gu-pqy-o1a\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_link\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406604,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygn-d8o-ncr\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_utimes\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406387,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"psd-3el-h33\",\"attributes\":{\"version\":9,\"name\":\"credential_modified_utimes\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1674486406248,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"atu-tci-bjn\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_unlink\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486405229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-dqu-jly\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_open\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486404864,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kuu-k1s-gqz\",\"attributes\":{\"version\":6,\"name\":\"systemd_modification_chmod\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"updateDate\":1674486404846,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hnh-eio-mow\",\"attributes\":{\"version\":2,\"name\":\"ptrace_antidebug\",\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"expression\":\"ptrace.request == PTRACE_TRACEME && process.file.name != \\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718435,\"updateDate\":1670604150759,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"f5y-pdn-pnj\",\"attributes\":{\"version\":4,\"name\":\"kernel_module_load\",\"description\":\"A kernel module was loaded\",\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] && process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718458,\"updateDate\":1670604150549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ddh-ld5-2rj\",\"attributes\":{\"version\":1,\"name\":\"aws_imds\",\"description\":\"An AWS IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"enj-kdc-1tt\",\"attributes\":{\"version\":1,\"name\":\"net_file_download\",\"description\":\"A suspicious file was written by a network utility\",\"expression\":\"open.flags & O_CREAT > 0 && process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1670604150067,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wew-y1h-1um\",\"attributes\":{\"version\":1,\"name\":\"compile_after_delivery\",\"description\":\"A compiler wrote a suspicious file in a container\",\"expression\":\"open.flags & O_CREAT > 0\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n&& (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n&& process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n&& container.id != \\\"\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1670604150062,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ct9-og0-h7h\",\"attributes\":{\"version\":1,\"name\":\"net_unusual_request\",\"description\":\"Network utility executed with suspicious URI\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150059,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9dx-svj-apj\",\"attributes\":{\"version\":1,\"name\":\"azure_imds\",\"description\":\"An Azure IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150058,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sah-xju-jcq\",\"attributes\":{\"version\":1,\"name\":\"gcp_imds\",\"description\":\"An GCP IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150002,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"mmk-0g6-4qu\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VxNSK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uze-gr4-sfh\",\"attributes\":{\"version\":1,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgd-dmc-zta\",\"attributes\":{\"version\":1,\"name\":\"interactive_shell_in_container\",\"description\":\"An interactive shell was started inside of a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && exec.args_flags in [\\\"i\\\"] && container.id !=\\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1666888169595,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3lt-gov-2yu\",\"attributes\":{\"version\":4,\"name\":\"net_util\",\"description\":\"A network utility was executed\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id == \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":1642158534952,\"updateDate\":1666888163498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jx4-pkv-247\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_attempt\",\"description\":\"Potential Dirty pipe exploitation attempt\",\"expression\":\"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"creationDate\":1648564123603,\"updateDate\":1666888163347,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ifl-wfe-sch\",\"attributes\":{\"version\":6,\"name\":\"net_util_in_container\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":1617722068439,\"updateDate\":1666888163319,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aux-r7v-odv\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_exploitation\",\"description\":\"Potential Dirty pipe exploitation\",\"expression\":\"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"creationDate\":1648564123563,\"updateDate\":1666888163318,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vri-cjo-ywh\",\"attributes\":{\"version\":2,\"name\":\"pwnkit_privilege_escalation\",\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" && exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] && exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] && exec.uid != 0)\",\"category\":\"Process Activity\",\"creationDate\":1643639113864,\"updateDate\":1666888163135,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ejk-rbu-v9x\",\"attributes\":{\"version\":3,\"name\":\"passwd_execution\",\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] && exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1617722068383,\"updateDate\":1666888162106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pej-frv-8lb\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.ancestors.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722069224,\"updateDate\":1666888161764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-jd2-obf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_cdxqn\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xae-nwo-v33\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_iNwDw\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvp-ggu-cvk\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vx9-lii-nnm\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xur-uya-vqn\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"96x-aqb-3yh\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_RMoJm\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"smc-exb-ymp\",\"attributes\":{\"version\":1,\"name\":\"ld_preload_unusual_library_path\",\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\" ,~\\\"LD_PRELOAD=/dev/shm/*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1665475122471,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fak-u9s-pac\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chown\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1665475121157,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki2-nwj-sot\",\"attributes\":{\"version\":4,\"name\":\"nsswitch_conf_mod_chmod\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1665475120054,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"12k-ui3-z4h\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chmod\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1665475102566,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ien-7aw-blw\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chown\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1665475102281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vqc-lta-u8c\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chmod\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1665475100348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m1y-sk8-b4c\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_xkrhu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"19v-30b-0xf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ehj-52q-wq0\",\"attributes\":{\"version\":1,\"name\":\"shell_history_symlink\",\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"expression\":\"exec.comm == \\\"ln\\\" && exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1661193980229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gp1-mai-dlc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_us1_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ai3-b8g-lbc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tmz-dqc-yml\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ez9-ozl-3lz\",\"attributes\":{\"version\":2,\"name\":\"potential_cryptominer\",\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1658502077556,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tef-sab-thr\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wup-o5b-tjo\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"c3v-vla-rev\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yel-nbl-2pj\",\"attributes\":{\"version\":1,\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rp0-hmk-9c1\",\"attributes\":{\"version\":1,\"name\":\"ip_check_domain\",\"description\":\"A DNS lookup was done for a IP check service\",\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1654020337230,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"q7y-2ci-hkh\",\"attributes\":{\"version\":1,\"name\":\"paste_site\",\"description\":\"A DNS lookup was done for a pastebin-like site\",\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1654020335889,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ntj-rfs-mw3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dyn-u7u-v86\",\"attributes\":{\"version\":2,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mlg-yxw-uig\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lq3-t6t-xng\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1hp-hpr-4ez\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mt3-pks-n5s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"r4a-yvz-rj7\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5k1-gwi-0aq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lkj-jnq-r6s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mbc-iwk-zpb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fzb-lli-m26\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9mk-xxe-lpw\",\"attributes\":{\"version\":2,\"name\":\"suspicious_container_client\",\"description\":\"A container management utility was executed in a container\",\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722068555,\"updateDate\":1651671394200,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ieg-lmk-cgo\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_container\",\"description\":\"A container loaded a new kernel module\",\"expression\":\"load_module.name != \\\"\\\" && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718705,\"updateDate\":1650371511241,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lzx-kkv-at3\",\"attributes\":{\"version\":1,\"name\":\"ptrace_injection\",\"description\":\"A process attempted to inject code into another process\",\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718540,\"updateDate\":1650293789265,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"foo-pve-qbq\",\"attributes\":{\"version\":1,\"name\":\"kernel_module_load_from_memory_container\",\"description\":\"A kernel module was loaded from memory inside a container\",\"expression\":\"load_module.loaded_from_memory == true && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718365,\"updateDate\":1650293788418,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"irg-o45-pxz\",\"attributes\":{\"version\":3,\"name\":\"example_agent_rule\",\"description\":\"An example agent rule generated in terraform\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rsy-7jg-hqm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m39-rre-anw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4wd-unc-xof\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jhk-qpj-jlt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ruf-aic-d4j\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jtf-zrn-0ph\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ijz-1cz-bms\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"21m-gs8-p43\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"in7-ydq-pbw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"v8v-sem-rmg\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kox-qtp-cbn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"thp-evn-3gr\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hx6-v0z-9gk\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n8j-9n3-urm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tkl-mjf-is5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"up2-fhh-bc8\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vdu-0rd-lnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dfb-wz2-0ka\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"7vz-wdj-vwc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qls-upn-1vc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rxo-lya-bqu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dm3-ip4-rza\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rzs-ccq-4qm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wa9-zm8-8ds\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"alm-sgy-vz3\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dls-vo9-rqx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fyz-u20-nvn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nqv-0et-fcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7v-36z-wue\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"y2z-ffa-zys\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cym-1zi-nnd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ip9-wgt-q3k\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t9d-zbo-2nw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kaw-0h7-dji\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m4i-otg-jnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"heh-lnh-xwm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cwa-5rh-qtd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"e5l-xtx-hmi\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ebx-lyj-r3a\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xac-4if-49b\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dh6-bdu-8v0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hkd-6dr-ify\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bsx-fod-0xj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8jt-x9p-yoy\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rhd-qao-dub\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"j0f-fhi-ab7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvn-u2c-xm4\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ldn-agb-3fl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cyr-g7t-to0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wnm-xkk-mat\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"moo-kuq-zbt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wzs-moc-ji9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uw2-d3y-5h6\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fez-txs-qf9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fga-mna-xej\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"iyn-7sl-swn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"p3w-qyi-pbo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yyt-sfa-fck\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5z7-fqq-siu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ivz-amj-yl7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lyv-3xn-qch\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fpt-c7o-ipx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tap-fek-5kw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7b-x0z-cbe\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hhe-gcm-vjl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nt9-5fe-de1\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pj0-bcy-euh\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rm5-px4-iua\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cqz-7pc-ajz\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hot-prj-df5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"q7n-lvv-4au\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gly-5wu-uny\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"umz-fjl-7qq\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"spq-5f8-isw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dul-hdz-xmo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n94-q2a-co9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"x1n-wra-hdt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kgt-kcc-tnu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"znp-dul-gcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ily-tsr-dtj\",\"attributes\":{\"version\":1,\"name\":\"compiler_in_container\",\"description\":\"Compiler Executed in Container\",\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" && exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) && container.id !=\\\"\\\" && process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836759,\"updateDate\":1636729662344,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jl5-wjt-58e\",\"attributes\":{\"version\":1,\"name\":\"aws_metadata_service\",\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] && exec.args in [~\\\"*169.254.169.254*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1627392836096,\"updateDate\":1629226276630,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8ol-dkr-aml\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_link\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdf-wvb-c3k\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_open\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pkn-azw-qia\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_rename\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wpt-ba8-mpd\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_unlink\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7ud-d2o-qgo\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_utimes\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"za8-uxc-jxk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_link\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" && (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nej-iw4-adk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_open\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name == \\\"authorized_keys\\\" && (open.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tiz-yss-zhq\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_rename\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"apr-zj4-ee1\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_unlink\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yhq-etl-wr6\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_utimes\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m8i-uhr-aoq\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_link\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"adl-qjr-lyg\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_open\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2fy-aqt-8mz\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_rename\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ei7-n5e-rvv\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_unlink\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"}]}\n" + "size": 271895, + "text": "{\"data\":[{\"id\":\"h9w-1za-erv\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1742473059337,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1742473059978,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"khg-aab-9th\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1737245935950,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1737245936416,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ayg-ed4-gwq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KSDPb\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1730871736407,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1730871736407,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"om5-n7z-ike\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_qDgvU\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1727845578846,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1727845578846,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"6ae-6oo-ebo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_DBtCK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724855417119,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724855417119,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"z3p-vom-jnb\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724373425669,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724373425669,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"aum-fmk-2zi\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_sUVnW\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846828022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846828022,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8j1-gvj-zbg\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ipyRF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846816336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846816336,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgj-zek-ajo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_AszwF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718401086044,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718401086044,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bf0-bng-csr\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bVlLJ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718400725834,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718400725834,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qni-ngf-dzd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_tSfwV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716175452369,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716175452369,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qio-d0k-d3j\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_mABue\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716162686297,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716162686297,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fbo-ian-ijl\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VfQSV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713905359927,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713905359927,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1o7-fwy-pet\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_JAnCe\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713903379681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713903379681,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ug1-mbq-gkm\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KJInv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713902127183,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713902127183,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xvo-htm-wak\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_PkauG\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713901759732,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713901759732,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zfc-g0g-a8x\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_LPRxi\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pae-rpt-yni\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_CpDMZ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jwu-xbf-ic5\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_HfYXr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uew-oxg-b86\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_Tjzvu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wyn-ib7-f7o\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_fWORB\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mwk-g74-lbd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_XcxFr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rqa-io7-fwn\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bKkuv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n1x-qsa-p53\",\"attributes\":{\"version\":1,\"name\":\"windows_cryptominer_process\",\"description\":\"A cryptominer was potentially executed\",\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1712079129574,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rws-z9b-qjv\",\"attributes\":{\"version\":1,\"name\":\"ransomware_note\",\"description\":\"Possible ransomware note created under common user directories\",\"expression\":\"open.flags & O_CREAT > 0\\n&& open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n&& open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] && open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644650371,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pqp-0vs-cmu\",\"attributes\":{\"version\":1,\"name\":\"ssh_it_tool_config_write\",\"description\":\"The configuration directory for an ssh worm\",\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644642969,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tkp-w9m-vzp\",\"attributes\":{\"version\":1,\"name\":\"safeboot_modification\",\"description\":\"Safeboot registry modified\",\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644635093,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8be-hej-nf2\",\"attributes\":{\"version\":3,\"name\":\"ps_discovery\",\"description\":\"Processes were listed using the ps command\",\"expression\":\"exec.comm == \\\"ps\\\" && exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] && process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] && process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644627589,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wn9-9vf-8be\",\"attributes\":{\"version\":1,\"name\":\"mount_proc_hide\",\"description\":\"Process hidden using mount\",\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644623109,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"upj-muh-hms\",\"attributes\":{\"version\":2,\"name\":\"chatroom_request\",\"description\":\"A DNS request was made for a chatroom domain\",\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644612626,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gnz-81e-6lg\",\"attributes\":{\"version\":1,\"name\":\"cryptominer_envs\",\"description\":\"Process environment variables match cryptocurrency miner\",\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644602654,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7da-gwx-c3l\",\"attributes\":{\"version\":2,\"name\":\"auditctl_usage\",\"description\":\"The auditctl command was used to modify auditd\",\"expression\":\"exec.file.name == \\\"auditctl\\\" && exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644592613,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8jg-xym-vqz\",\"attributes\":{\"version\":1,\"name\":\"jupyter_shell_execution\",\"description\":\"A Jupyter notebook executed a shell\",\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) && process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644590883,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9ih-87r-xrp\",\"attributes\":{\"version\":1,\"name\":\"registry_runkey_modified\",\"description\":\"A Registry runkey has been modified\",\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644584412,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"msb-ai6-ua5\",\"attributes\":{\"version\":2,\"name\":\"tunnel_traffic\",\"description\":\"Tunneling or port forwarding tool used\",\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") && process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] && process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] && process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" && process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" && process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] && process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644574925,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6fr-csu-axm\",\"attributes\":{\"version\":7,\"name\":\"k8s_pod_service_account_token_accessed\",\"description\":\"The Kubernetes pod service account token was accessed\",\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] && process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644571787,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"30s-pi8-9b4\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a9q-iyx-gfu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hlq-w7y-5tg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"lj4-ina-ue2\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"qlz-mcu-d2k\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bmx-go6-0lz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bk0-mpb-ii8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0xw-wbm-pel\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"nvt-eoh-yiz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dc5-hba-20b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"asb-kqf-vex\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yzx-ia6-bdh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uo-x9p-tmb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"kan-5ki-wau\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ggb-h3r-t7d\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"y4n-8gx-m3n\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xsf-ugy-cfq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"btr-btz-zif\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"jnw-ija-az5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"6v0-shq-8gm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yrv-svq-9nz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9s9-wui-t8c\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"krm-ssv-tn5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"uiu-6vz-z2h\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"eej-oup-jwu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ltv-fla-wb0\",\"attributes\":{\"version\":1,\"name\":\"ntds_in_commandline\",\"description\":\"NTDS file referenced in commandline\",\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"uuf-w3c-u9q\",\"attributes\":{\"version\":1,\"name\":\"scheduled_task_creation\",\"description\":\"A scheduled task was created\",\"expression\":\"exec.file.name in [\\\"at.exe\\\",\\\"schtasks.exe\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nyc-gfz-yr5\",\"attributes\":{\"version\":5,\"name\":\"nsswitch_conf_mod_chown\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1704404477785,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bm8-j5w-xfv\",\"attributes\":{\"version\":3,\"name\":\"suspicious_suid_execution\",\"description\":\"Recently written or modified suid file has been executed\",\"expression\":\"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \\\"\\\" && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404469455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"phy-tco-k7w\",\"attributes\":{\"version\":6,\"name\":\"database_shell_execution\",\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n!(process.parent.file.name == \\\"initdb\\\" &&\\nexec.args == \\\"-c locale -a\\\") &&\\n!(process.parent.file.name == \\\"postgres\\\" &&\\nexec.args == ~\\\"*pg_wal*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069155,\"updateDate\":1704404453620,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7x1-glr-ofl\",\"attributes\":{\"version\":2,\"name\":\"credential_modified_open_v2\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404453617,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jjg-cwd-bi8\",\"attributes\":{\"version\":2,\"name\":\"pci_11_5_critical_binaries_open_v2\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404449335,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqb-wq9-xzq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_jcvqK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"sqx-azd-ia2\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ivMAv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"83g-jde-hyc\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hyg-8q3-gme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bn3-we8-cxn\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"goh-6ij-cpa\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"he7-cho-9th\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"pj5-9wo-0ny\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dmd-ens-omw\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"8ft-wcs-sok\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-fm3-ilm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cxv-wyz-udh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"7ro-vjj-hqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uf-mai-edh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"e2t-sos-sgs\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"joz-phu-bj6\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9gx-e5x-wxl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cmg-7ok-iws\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"fc2-mmz-xme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cw4-gei-lqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"djb-5it-syy\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"2be-cfa-xhr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5dp-tcj-tbm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a0m-zaf-0a8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"erx-pyz-xft\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ydh-fsm-slz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5pp-60h-keq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xyn-fkc-osi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"llg-x6t-jjq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"q1s-ejx-xq3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"zw4-cad-dro\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rik-8jl-7nr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"vih-vom-ryl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"mhl-gkn-bun\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_unlink\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699614659146,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"j3f-cie-47b\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_from_memory\",\"description\":\"A kernel module was loaded from memory\",\"expression\":\"load_module.loaded_from_memory == true\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718630,\"updateDate\":1699614659145,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"my1-vln-8fq\",\"attributes\":{\"version\":3,\"name\":\"cryptominer_args\",\"description\":\"A process launched with arguments associated with cryptominers\",\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614656177,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"us6-p6v-hbj\",\"attributes\":{\"version\":2,\"name\":\"tar_execution\",\"description\":\"Tar archive created\",\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" && exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614655670,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vky-y2i-mvh\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution_parent\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.parent.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614653571,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohe-vlf-t2h\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chown\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1699614645120,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"abo-w0g-emz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yyr-62t-pwg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"s87-olo-akk\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hqc-ilw-6pg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5ik-iyy-ry4\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0mj-ptm-mcq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"awr-mtg-lce\",\"attributes\":{\"version\":1,\"name\":\"offensive_k8s_tool\",\"description\":\"A known kubernetes pentesting tool has been executed\",\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] && (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605598275,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qng-psi-j15\",\"attributes\":{\"version\":5,\"name\":\"runc_modification\",\"description\":\"The runc binary was modified in a non-standard way\",\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392837049,\"updateDate\":1699605592780,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vlh-msh-elx\",\"attributes\":{\"version\":1,\"name\":\"redis_save_module\",\"description\":\"Redis module has been created\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) && process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605590262,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"i0s-yb1-hnl\",\"attributes\":{\"version\":4,\"name\":\"net_util_exfiltration\",\"description\":\"Exfiltration attempt via network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605585597,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki7-koc-icf\",\"attributes\":{\"version\":2,\"name\":\"apparmor_modified_tty\",\"description\":\"An AppArmor profile was modified in an interactive session\",\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] && exec.tty_name !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836162,\"updateDate\":1699605581360,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kzh-5hn-edg\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chmod\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605577106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rm1-b8h-cec\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_link\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605575176,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zk5-jeo-579\",\"attributes\":{\"version\":2,\"name\":\"rc_scripts_modified\",\"description\":\"RC scripts modified\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605566454,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"je9-er4-njy\",\"attributes\":{\"version\":2,\"name\":\"selinux_disable_enforcement\",\"description\":\"SELinux enforcement status was disabled\",\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] && process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1635332067172,\"updateDate\":1699605560892,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yly-big-wfq\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chown\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605558253,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6ef-efv-07c\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_utimes\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605550430,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"1vg-wvn-jeo\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_rename\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605548906,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"332-1wp-nhi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pn7-9wx-enb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zag-uxd-4rh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gj1-f5n-atq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xoa-393-gtb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wib-odd-eos\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zi0-hgn-9ec\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"oce-aqj-x6b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cdt-p7e-q1b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wgo-mps-djd\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"odr-ipk-wvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nb1-dkb-bwz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t2g-qma-f5b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pwg-71z-aob\",\"attributes\":{\"version\":1,\"name\":\"ssl_certificate_tampering_open_v2\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\\n&& container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748504240,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zuq-yfd-hun\",\"attributes\":{\"version\":1,\"name\":\"deploy_priv_container\",\"description\":\"A privileged container was created\",\"expression\":\"exec.file.name != \\\"\\\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748488881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ayp-cd9-j3f\",\"attributes\":{\"version\":1,\"name\":\"network_sniffing_tool\",\"description\":\"Local account groups were enumerated after container start up\",\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748485348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"x3k-0en-bhm\",\"attributes\":{\"version\":1,\"name\":\"ssh_authorized_keys_open_v2\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kmx-s3s-htb\",\"attributes\":{\"version\":1,\"name\":\"nsswitch_conf_mod_open_v2\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480617,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdh-b1k-i0e\",\"attributes\":{\"version\":1,\"name\":\"suid_file_execution\",\"description\":\"a SUID file was executed\",\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \\\"/usr/bin/sudo\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479473,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqu-01q-fmr\",\"attributes\":{\"version\":1,\"name\":\"net_util_in_container_v2\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] && container.created_at > 180s\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479210,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"igw-lex-dzw\",\"attributes\":{\"version\":1,\"name\":\"hidden_file_executed\",\"description\":\"A hidden file was executed in a suspicious folder\",\"expression\":\"exec.file.name =~ \\\".*\\\" && exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474266,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ixh-tff-n0g\",\"attributes\":{\"version\":1,\"name\":\"shell_profile_modification\",\"description\":\"Shell profile was modified\",\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474208,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"84k-f4f-yx8\",\"attributes\":{\"version\":4,\"name\":\"python_cli_code\",\"description\":\"Python code was provided on the command line\",\"expression\":\"exec.file.name == ~\\\"python*\\\" && exec.args_flags in [\\\"c\\\"] && exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", \\\"*-c*/bash*\\\", \\\"*-c*/bin/sh*\\\", \\\"*-c*pty.spawn*\\\"] && exec.args !~ \\\"*setuptools*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748470573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-ylu-udm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tfj-qbi-njb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"otj-idk-ece\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"l88-cpw-jvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kcw-scc-5ve\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lg7-iv9-wts\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_utimes\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185006444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lxo-jgz-gtv\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chown\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185001787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vu4-g2z-6yx\",\"attributes\":{\"version\":1,\"name\":\"user_deleted_tty\",\"description\":\"A user was deleted via an interactive session\",\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185000708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"dgj-0mh-asf\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_unlink\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996909,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6t0-pxf-oag\",\"attributes\":{\"version\":1,\"name\":\"curl_docker_socket\",\"description\":\"The Docker socket was referenced in a cURL command\",\"expression\":\"exec.file.name == \\\"curl\\\" && exec.args_flags in [\\\"unix-socket\\\"] && exec.args in [\\\"*docker.sock*\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996292,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"07x-ilo-vbw\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_rename\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184995498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vbb-8oz-uj8\",\"attributes\":{\"version\":1,\"name\":\"read_release_info\",\"description\":\"OS information was read from the /etc/lsb-release file\",\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" && open.flags & O_RDONLY > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184994303,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hxb-abz-bnu\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chmod\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184993817,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wxp-zv6-mdg\",\"attributes\":{\"version\":1,\"name\":\"kmod_list\",\"description\":\"Kernel modules were listed using the kmod command\",\"expression\":\"exec.comm == \\\"kmod\\\" && exec.args in [~\\\"*list*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0on-nzp-luo\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_open\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"\\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n(open.file.path == \\\"/etc/sudoers\\\")) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rsp-g6i-jdi\",\"attributes\":{\"version\":1,\"name\":\"service_stop\",\"description\":\"systemctl used to stop a service\",\"expression\":\"exec.file.name == \\\"systemctl\\\" && exec.args in [~\\\"*stop*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184991238,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"d5p-vk6-w0f\",\"attributes\":{\"version\":1,\"name\":\"exec_lsmod\",\"description\":\"Kernel modules were listed using the lsmod command\",\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184990877,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ich-3ke-cor\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_link\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184985910,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zdy-kcq-q0v\",\"attributes\":{\"version\":1,\"name\":\"read_kubeconfig\",\"description\":\"The kubeconfig file was accessed\",\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184984191,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yij-lei-ykx\",\"attributes\":{\"version\":1,\"name\":\"exec_whoami\",\"description\":\"The whoami command was executed\",\"expression\":\"exec.comm == \\\"whoami\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184982050,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fjh-jmi-fbi\",\"attributes\":{\"version\":1,\"name\":\"auditd_rule_file_modified\",\"description\":\"The auditd rules file was modified without using auditctl\",\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490457848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"div-3ym-esz\",\"attributes\":{\"version\":1,\"name\":\"auditd_config_modified\",\"description\":\"The auditd configuration file was modified without using auditctl\",\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453830,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"swo-jyw-vtb\",\"attributes\":{\"version\":5,\"name\":\"aws_eks_service_account_token_accessed\",\"description\":\"The AWS EKS service account token was accessed\",\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453789,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2p0-3i2-b4y\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_open\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490451189,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ybu-yya-acz\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chmod\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.mode != chmod.file.destination.mode\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490448291,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kek-yib-peb\",\"attributes\":{\"version\":2,\"name\":\"shell_history_deleted\",\"description\":\"Shell History was Deleted\",\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") && process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490445819,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"w07-amm-bxr\",\"attributes\":{\"version\":10,\"name\":\"ssl_certificate_tampering_utimes\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490443753,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pti-xku-k7y\",\"attributes\":{\"version\":3,\"name\":\"shell_history_truncated\",\"description\":\"Shell History was Deleted\",\"expression\":\"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" && open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] && process.file.name == \\\"truncate\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490441112,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jin-icc-lpi\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_unlink\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490440557,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aby-cmp-yrd\",\"attributes\":{\"version\":2,\"name\":\"dynamic_linker_config_write\",\"description\":\"A process wrote to a dynamic linker config file\",\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", \\\"/etc/ld.so.conf.d/*.conf\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490436787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7nq-ugi-gu1\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_link\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.name !~ \\\"runc*\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490436302,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qzs-yvl-f4t\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_rename\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490435881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9hn-ukg-ek1\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ulc-8ym-1ch\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zja-jqt-rpm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"2ov-h11-m4w\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"shb-0xv-eib\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"psp-nbn-dtg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mcq-6by-989\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tci-5f7-cis\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mey-lit-gzs\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4ve-rws-nw0\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9aa-y0q-rrc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tvd-3p1-cai\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"asy-mod-zmt\",\"attributes\":{\"version\":5,\"name\":\"user_created_tty\",\"description\":\"A user was created via an interactive session\",\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && exec.args_flags not in [\\\"D\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836979,\"updateDate\":1677793421528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rek-wb4-s7y\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_rename\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793418528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"4fh-bb7-747\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chmod\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793414173,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yiy-mba-pny\",\"attributes\":{\"version\":5,\"name\":\"common_net_intrusion_util\",\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] && exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067554,\"updateDate\":1677793413474,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3tj-btx-kvo\",\"attributes\":{\"version\":5,\"name\":\"package_management_in_container\",\"description\":\"Package management was detected in a container\",\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067648,\"updateDate\":1677793413044,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"oio-i4o-xzw\",\"attributes\":{\"version\":1,\"name\":\"tty_shell_in_container\",\"description\":\"A shell with a TTY was executed in a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && process.tty_name != \\\"\\\" && process.container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412844,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qdc-oqx-zsx\",\"attributes\":{\"version\":8,\"name\":\"systemd_modification_chown\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412379,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pwh-omk-qrr\",\"attributes\":{\"version\":3,\"name\":\"new_binary_execution_in_container\",\"description\":\"A container executed a new binary not found in the container image\",\"expression\":\"container.id != \\\"\\\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1652129906455,\"updateDate\":1677793412378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bgs-kbk-xkh\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_link\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412375,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tmh-now-e61\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_open\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1677793410974,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kxs-kt6-5gt\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_unlink\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793406609,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohp-ags-xpk\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_utimes\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1677793405837,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"t8w-eul-chf\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_utimes\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793405627,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ay7-jkz-rda\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_unlink\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793404797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fpw-paa-smb\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_utimes\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"c4t-pxu-ixk\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_unlink\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402725,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ec9-vff-7ni\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_link\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793401708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"r5z-tke-sjm\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_link\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793401181,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"eoy-4fe-q7q\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chown\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793399502,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cd0-w8q-vl4\",\"attributes\":{\"version\":11,\"name\":\"kernel_module_chown\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793397722,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bw8-80r-qih\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_BAiZP\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mpb-1rj-dv6\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_rename\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793394010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ac4-asc-qi4\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_rename\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793391290,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gtx-vpl-ror\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_lszUX\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xye-pfo-y0r\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_open\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486423764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cmu-g58-cau\",\"attributes\":{\"version\":6,\"name\":\"cron_at_job_creation_rename\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486423628,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sna-hgh-vo4\",\"attributes\":{\"version\":3,\"name\":\"dynamic_linker_config_unlink\",\"description\":\"A process unlinked a dynamic linker config file\",\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486422738,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"efc-svz-7hu\",\"attributes\":{\"version\":1,\"name\":\"potential_web_shell_parent\",\"description\":\"A web application spawned a shell or shell utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486413493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tna-ty5-e7c\",\"attributes\":{\"version\":1,\"name\":\"mount_host_fs\",\"description\":\"The host file system was mounted in a container\",\"expression\":\"mount.source.path == \\\"/\\\" && mount.fs_type != \\\"overlay\\\" && container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486412444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygi-ozn-m5d\",\"attributes\":{\"version\":1,\"name\":\"memfd_create\",\"description\":\"memfd object created\",\"expression\":\"exec.file.name =~ \\\"memfd*\\\" && exec.file.path == \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486411993,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nlp-lzc-rcf\",\"attributes\":{\"version\":5,\"name\":\"systemd_modification_open\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486408888,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"avt-p2e-fyc\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_chmod\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486407158,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ipa-v3l-kt6\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chmod\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.file.destination.mode != chmod.file.mode\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406983,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3xl-qds-f0e\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chown\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406776,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0gu-pqy-o1a\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_link\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406604,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygn-d8o-ncr\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_utimes\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406387,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"psd-3el-h33\",\"attributes\":{\"version\":9,\"name\":\"credential_modified_utimes\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1674486406248,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"atu-tci-bjn\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_unlink\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486405229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-dqu-jly\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_open\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486404864,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kuu-k1s-gqz\",\"attributes\":{\"version\":6,\"name\":\"systemd_modification_chmod\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486404846,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hnh-eio-mow\",\"attributes\":{\"version\":2,\"name\":\"ptrace_antidebug\",\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"expression\":\"ptrace.request == PTRACE_TRACEME && process.file.name != \\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718435,\"updateDate\":1670604150759,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"f5y-pdn-pnj\",\"attributes\":{\"version\":4,\"name\":\"kernel_module_load\",\"description\":\"A kernel module was loaded\",\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] && process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718458,\"updateDate\":1670604150549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ddh-ld5-2rj\",\"attributes\":{\"version\":1,\"name\":\"aws_imds\",\"description\":\"An AWS IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"enj-kdc-1tt\",\"attributes\":{\"version\":1,\"name\":\"net_file_download\",\"description\":\"A suspicious file was written by a network utility\",\"expression\":\"open.flags & O_CREAT > 0 && process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150067,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wew-y1h-1um\",\"attributes\":{\"version\":1,\"name\":\"compile_after_delivery\",\"description\":\"A compiler wrote a suspicious file in a container\",\"expression\":\"open.flags & O_CREAT > 0\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n&& (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n&& process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n&& container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150062,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ct9-og0-h7h\",\"attributes\":{\"version\":1,\"name\":\"net_unusual_request\",\"description\":\"Network utility executed with suspicious URI\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150059,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9dx-svj-apj\",\"attributes\":{\"version\":1,\"name\":\"azure_imds\",\"description\":\"An Azure IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150058,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sah-xju-jcq\",\"attributes\":{\"version\":1,\"name\":\"gcp_imds\",\"description\":\"An GCP IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150002,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"mmk-0g6-4qu\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VxNSK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uze-gr4-sfh\",\"attributes\":{\"version\":1,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgd-dmc-zta\",\"attributes\":{\"version\":1,\"name\":\"interactive_shell_in_container\",\"description\":\"An interactive shell was started inside of a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && exec.args_flags in [\\\"i\\\"] && container.id !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1666888169595,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3lt-gov-2yu\",\"attributes\":{\"version\":4,\"name\":\"net_util\",\"description\":\"A network utility was executed\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id == \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1642158534952,\"updateDate\":1666888163498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jx4-pkv-247\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_attempt\",\"description\":\"Potential Dirty pipe exploitation attempt\",\"expression\":\"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123603,\"updateDate\":1666888163347,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ifl-wfe-sch\",\"attributes\":{\"version\":6,\"name\":\"net_util_in_container\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068439,\"updateDate\":1666888163319,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aux-r7v-odv\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_exploitation\",\"description\":\"Potential Dirty pipe exploitation\",\"expression\":\"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123563,\"updateDate\":1666888163318,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vri-cjo-ywh\",\"attributes\":{\"version\":2,\"name\":\"pwnkit_privilege_escalation\",\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" && exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] && exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] && exec.uid != 0)\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1643639113864,\"updateDate\":1666888163135,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ejk-rbu-v9x\",\"attributes\":{\"version\":3,\"name\":\"passwd_execution\",\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] && exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068383,\"updateDate\":1666888162106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pej-frv-8lb\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.ancestors.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069224,\"updateDate\":1666888161764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-jd2-obf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_cdxqn\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xae-nwo-v33\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_iNwDw\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvp-ggu-cvk\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vx9-lii-nnm\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xur-uya-vqn\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"96x-aqb-3yh\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_RMoJm\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"smc-exb-ymp\",\"attributes\":{\"version\":1,\"name\":\"ld_preload_unusual_library_path\",\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\" ,~\\\"LD_PRELOAD=/dev/shm/*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1665475122471,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fak-u9s-pac\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chown\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475121157,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki2-nwj-sot\",\"attributes\":{\"version\":4,\"name\":\"nsswitch_conf_mod_chmod\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1665475120054,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"12k-ui3-z4h\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chmod\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475102566,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ien-7aw-blw\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chown\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475102281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vqc-lta-u8c\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chmod\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475100348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m1y-sk8-b4c\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_xkrhu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"19v-30b-0xf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ehj-52q-wq0\",\"attributes\":{\"version\":1,\"name\":\"shell_history_symlink\",\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"expression\":\"exec.comm == \\\"ln\\\" && exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1661193980229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gp1-mai-dlc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_us1_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ai3-b8g-lbc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tmz-dqc-yml\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ez9-ozl-3lz\",\"attributes\":{\"version\":2,\"name\":\"potential_cryptominer\",\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1658502077556,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tef-sab-thr\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wup-o5b-tjo\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"c3v-vla-rev\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yel-nbl-2pj\",\"attributes\":{\"version\":1,\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rp0-hmk-9c1\",\"attributes\":{\"version\":1,\"name\":\"ip_check_domain\",\"description\":\"A DNS lookup was done for a IP check service\",\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020337230,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"q7y-2ci-hkh\",\"attributes\":{\"version\":1,\"name\":\"paste_site\",\"description\":\"A DNS lookup was done for a pastebin-like site\",\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020335889,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ntj-rfs-mw3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dyn-u7u-v86\",\"attributes\":{\"version\":2,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mlg-yxw-uig\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lq3-t6t-xng\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1hp-hpr-4ez\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mt3-pks-n5s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"r4a-yvz-rj7\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5k1-gwi-0aq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lkj-jnq-r6s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mbc-iwk-zpb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fzb-lli-m26\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9mk-xxe-lpw\",\"attributes\":{\"version\":2,\"name\":\"suspicious_container_client\",\"description\":\"A container management utility was executed in a container\",\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068555,\"updateDate\":1651671394200,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ieg-lmk-cgo\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_container\",\"description\":\"A container loaded a new kernel module\",\"expression\":\"load_module.name != \\\"\\\" && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718705,\"updateDate\":1650371511241,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lzx-kkv-at3\",\"attributes\":{\"version\":1,\"name\":\"ptrace_injection\",\"description\":\"A process attempted to inject code into another process\",\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718540,\"updateDate\":1650293789265,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"foo-pve-qbq\",\"attributes\":{\"version\":1,\"name\":\"kernel_module_load_from_memory_container\",\"description\":\"A kernel module was loaded from memory inside a container\",\"expression\":\"load_module.loaded_from_memory == true && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718365,\"updateDate\":1650293788418,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"irg-o45-pxz\",\"attributes\":{\"version\":3,\"name\":\"example_agent_rule\",\"description\":\"An example agent rule generated in terraform\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rsy-7jg-hqm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m39-rre-anw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4wd-unc-xof\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jhk-qpj-jlt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ruf-aic-d4j\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jtf-zrn-0ph\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ijz-1cz-bms\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"21m-gs8-p43\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"in7-ydq-pbw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"v8v-sem-rmg\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kox-qtp-cbn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"thp-evn-3gr\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hx6-v0z-9gk\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n8j-9n3-urm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tkl-mjf-is5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"up2-fhh-bc8\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vdu-0rd-lnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dfb-wz2-0ka\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"7vz-wdj-vwc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qls-upn-1vc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rxo-lya-bqu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dm3-ip4-rza\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rzs-ccq-4qm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wa9-zm8-8ds\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"alm-sgy-vz3\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dls-vo9-rqx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fyz-u20-nvn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nqv-0et-fcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7v-36z-wue\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"y2z-ffa-zys\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cym-1zi-nnd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ip9-wgt-q3k\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t9d-zbo-2nw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kaw-0h7-dji\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m4i-otg-jnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"heh-lnh-xwm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cwa-5rh-qtd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"e5l-xtx-hmi\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ebx-lyj-r3a\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xac-4if-49b\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dh6-bdu-8v0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hkd-6dr-ify\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bsx-fod-0xj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8jt-x9p-yoy\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rhd-qao-dub\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"j0f-fhi-ab7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvn-u2c-xm4\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ldn-agb-3fl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cyr-g7t-to0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wnm-xkk-mat\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"moo-kuq-zbt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wzs-moc-ji9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uw2-d3y-5h6\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fez-txs-qf9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fga-mna-xej\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"iyn-7sl-swn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"p3w-qyi-pbo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yyt-sfa-fck\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5z7-fqq-siu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ivz-amj-yl7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lyv-3xn-qch\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fpt-c7o-ipx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tap-fek-5kw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7b-x0z-cbe\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hhe-gcm-vjl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nt9-5fe-de1\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pj0-bcy-euh\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rm5-px4-iua\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cqz-7pc-ajz\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hot-prj-df5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"q7n-lvv-4au\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gly-5wu-uny\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"umz-fjl-7qq\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"spq-5f8-isw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dul-hdz-xmo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n94-q2a-co9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"x1n-wra-hdt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kgt-kcc-tnu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"znp-dul-gcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ily-tsr-dtj\",\"attributes\":{\"version\":1,\"name\":\"compiler_in_container\",\"description\":\"Compiler Executed in Container\",\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" && exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) && container.id !=\\\"\\\" && process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836759,\"updateDate\":1636729662344,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jl5-wjt-58e\",\"attributes\":{\"version\":1,\"name\":\"aws_metadata_service\",\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] && exec.args in [~\\\"*169.254.169.254*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836096,\"updateDate\":1629226276630,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8ol-dkr-aml\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_link\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdf-wvb-c3k\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_open\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pkn-azw-qia\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_rename\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wpt-ba8-mpd\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_unlink\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7ud-d2o-qgo\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_utimes\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"za8-uxc-jxk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_link\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" && (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nej-iw4-adk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_open\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name == \\\"authorized_keys\\\" && (open.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tiz-yss-zhq\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_rename\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"apr-zj4-ee1\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_unlink\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yhq-etl-wr6\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_utimes\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m8i-uhr-aoq\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_link\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"adl-qjr-lyg\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_open\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2fy-aqt-8mz\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_rename\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ei7-n5e-rvv\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_unlink\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"}]}\n" }, "cookies": [], "headers": [ @@ -100,45 +47,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:49.515Z", - "time": 261 - }, - { - "_id": "250bee786d7faffcb64a6f5795a43044", - "_order": 0, - "cache": {}, - "request": { - "bodySize": 0, - "cookies": [], - "headers": [ - { - "_fromType": "array", - "name": "accept", - "value": "*/*" - } - ], - "headersSize": 574, - "httpVersion": "HTTP/1.1", - "method": "DELETE", - "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/sk6-sni-wfh" - }, - "response": { - "bodySize": 0, - "content": { - "mimeType": "text/plain", - "size": 0 - }, - "cookies": [], - "headers": [], - "headersSize": 601, - "httpVersion": "HTTP/1.1", - "redirectURL": "", - "status": 204, - "statusText": "No Content" - }, - "startedDateTime": "2024-04-23T17:57:49.782Z", - "time": 153 + "startedDateTime": "2025-04-01T14:30:58.975Z", + "time": 251 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/frozen.json index 3ccb6f8fd49d..50a39615ec31 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:49.946Z" +"2025-04-01T14:30:59.240Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/recording.har index cbb51f777f68..f2bf5c465b2d 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-CSM-Threats-policy-returns-OK-response_3463845221/recording.har @@ -28,12 +28,12 @@ "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/download" }, "response": { - "bodySize": 18580, + "bodySize": 23004, "content": { "encoding": "base64", "mimeType": "application/zip", - "size": 18580, - "text": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXtz4zayOPr/fgqEdys/W2cojT2Pzcw9s3sdW9n4jMd2WZ7N2Yp9WRAJiYhIgAFAyZrjM5/9V3jxJVKiJb8mUaoyFpqNV6O78Wp0/z/g+NP52cXlwenle9APsOBAUCBCzMEIRwjMcBQBQgUYIsDQKEK+QAHABIgQgSMoYEDH4CBJACSBRh4iQKeIzRgWAhEwwyIEBM1AQiPsz3WpAZ2RiMKAd8F5hCBHIKYBHs0BSyPE64ofUQZGaRSBUUp8gSmBERbz7l+miHFMyXuw191/033pMv/Nm7+oUt7/BQAAXICD9wAmCWQxZZ6qBqPAE2KuvgMQIO4znAhVygGRtR1IXJAwqkkAObD5ZNMgAZgIxKAv8BQBjrhsgSlthCOBmKlcN4By8OEDcCJM0hvHwNFNwnS+9wDdIL8ra+oSGCNZw68OhG6AORxGyHkBZMqncRJBTEwSpgEWzjX4/nudXYi5p3J/98GxdZgCgvdgBCOOiuSQuX0ReSmHY1RHh8sQZVjAp3GshhdykHIUSA4x46Vwgnvru8S11TpZ5yAbc28UwTFXnKgIxCUhIue6XV8Dz6dkhMfZ+C/tcwA0dsqg/AIWuUAyNU0FSDkm44xQ65OBJohoMiRQhAq3h4TfUyXrf4OubJQiisZW9Pge7Jx5hxf9g8vbM+/y4vPp4e2Zd3B+3j89uj3zLo5+ubg98365ODs9+fcu+Dt4KbMnjPqI8wLZvyuSvS1FpZB5soy2RNWy/ejEVOxSoKZqRjfQqa5KSV6q0tt8uX4OBJ9xD024xxGbYh950PdpSoQn6AQRmUKcN1P/4JcB6H8cAJMbmNxA5VYjUSlhc5J/+Aqc3hSyHktJjyOfIcF7aMK7MIZfKIEz3vVp3DMtMg3qdToF7i6pBNVUZ4GUqq5MI/RoInqBnjJcOEZE9FA8REGAgt4Qk54CqZFegcjnXKDYTRgdolb4yE8ZFnO3dQ2mF+0zCAZ9tBQ962F9P3swiXuY/IZ8yd6Cevq3x1LiK9yUM1VGELgh5cLFhAsYRbXffEoExASxJqx6hPpGW4gfpVwgZjrZQq/PuIfjgDfN4r8MwPGno4FicB9GEQrAFEMAAUFiRtkEpALLJcT6TK/mJjk3av6bjZEiu58y1d9olrh2nVOYqeVkpjJ8dTp7b99199+87pq/vQgKxEUvRgK6ki49DOOcvXyGAkQEhhHvdZwXoFjA31529/968MvAOzw7vTw4Pu1fSCV11D+9PD44GXgX/ZODy+N/9b3PF8c1OXudXqHwf+DgQ6fNCHxJGVo6BhLh2xsFSX5NfUURMe9RmIpwv6fU0D9ggl2z6mxFpiHk6O1rL0A+DRrXWhqpdqWlMwJMRpTFakGyIbHKulXXXLvYUgQNWnTRR0zIgWxeTx4aDNUzWU8qdO8Eg4THWADKbE8hSKjQvBjNQQwj7GOa6pXDyq7PMAnojLfsvG14F90gRYKdHc1PcRBhgtRE1klZ5EM/RJ2cSKXvPImw6Di74Pa25qvuVMfZXU3FEApGaewx9HuKuKiVKnB0OgAGQS+jYIDU7ghmBYCAxhBvwCYB4V1VA6aksCkJMPcpkwvRWG1DEtwVKEJjBuMuZWMldgHpGjSYJAqzBfvQOKbEI0h4mAiWykZ4cljqKVBRHWCHxDDZNaVEcy04WG3SdFkACgH9CS8x3/rUqduvySbI/seQcx+qXdoowUTR5MuYwWH2Y1/+YikXFi8h6tf10u3OvySm0TrtKJrIlTkcCcS8AEV4ilj9htfiMjBjVEjp4ylPCiKntrwgm9LXp9utmyGXFtRmPS1XyxmCFMUsAcBO3QJTxEnDmtEo9u6Eqsmu23Gudwul3d7W7RG+6iWrKVXm6wVo2uNhnKUZpcImOmr1Yj7ItU9EfRj1IjyUGNdZdbulPtn1az5h/QanUC3B/Ahqfhn7vvPCGfq+cy2barNA4iMuKGuduVTz4h4k460EJ6oXyVyElBTb/v33+bh3caC2Lau3K5ahPEy8Kts08l5xWsCE4wABOrofvtupE9iVZK/mklWMqVO7ghimOAoMW7BUknB3t4Z4TmkLk49nzoeSwNlC2scRTmOzIF5NdQb9SQwTT7bOq2i5Etk/EjojgI5GiHA8RUBQGmXZVefaK8lV062dCg2hbC3ym6GXH6M2q6h8fZqf4flhTGt7OJA9U4dzeTalyziYIYbyowdz5AAIJS4XkASQBYoeKzveRssVNRgAO6q5FaVjzh14CAM6y44hxiYNSmprUY5LG2Dg9LhkmylOZtmGrAwxqTGrfi9AFOdZvg0ysNZuDR/VPo76k/oM1S+qzjGjaQKDCjTliNUCY1oDDFB55zlOIOezcrP8EI5ROasf1uAZELhuIniduFrSf83LgYnolOmSTMYlAEviUjolUAhEAhS4aTJmMEClz0ShF2pIcFKuYZ7G+ejCZJIPAR72OIFJoP8tTkpKO+X8GMi1HlGbi24s1+DffSh+jgs7lztKKJ2Rb0lC6ay6LNhK6FZCn0pCiwxZFNFUr8UKXyXk9hY04I8X8Mc4aLEhrZHoCJPJtyPQsrV3lOdSAbe3IC+iSNHWxW3Vw1Y9PIR6WEt45a7Xm+5/M/JbvncrXLyV7tnsRdyuvXAr64Carf5WaLdC+xRCWz4T8BmCAgUeFODv4N1LvpZIM0RgXHvk/iwleke3947yWJ2Ti4VsZ+WtgD8bAV9LhFPybS2qdXvvKMJbidtK3POROIFjVGu18EwlTrV3K3Fbifs2JA4L7MPIY2iMuWBzD90klNXaMzA0RgEWmbGLxsyKALYIEOLpfRp/qDtAhsbK8OMFcEw7VPJ6wczD3F6Fkyg2t1bhBM09xadeDP0QE2Q+aONBm4DZL2PE1e6qixIPCu83OvTUHgFT0nzXdUBASmAqQsrwFxSA3+hQG3UGgSapLA5wP0RBGmEyXknENfRT7c2WuU/nCaVRTzYiu0aXekoCup0FkIDDO6uuTH5EWXyz4nLeXfvaY0UrHlKK70OjNmuDtdmx4WLnebBjzTXOc2XHRznj37JvmX2bNlzPgXvrNlcbMG+p8Bb3GRtU9WBysuXiWi6mCXquOrjpxUztA5ky/9ed12+Z8pthyuYD6WfAlg3HzxuwV1W9rj6a3qCyLS8/Li83n8w+B16uP4fdste3w16Nx5DPgr1qDx237PU82WueCBrLSjzIxvU8ZWkDIpgSyTraNwNk4zRGRHAAOac+hsJ+KZTK1+ew2ldlfpK6CcOUYTGXFAgogQK5EZqqg9mvDoMkoPGNuzceugkcq5fY9n1V0fSeCwZFGv+H8BN71GYgnEdlyN4i0t4i1v4i1n4Bi2AfhZCHJjlHPKEzxO46SIhMawfp3AwRIlPMKJHjAqaQYVkkBzEUvh0WP2UMEX8OVIEbDo9sjh6Y87OzE+/zoH8hR0UnLk6y3+cHg4FMHJ2dHlz2vZP+v/onbXqessjT/O5x+af2LPgyROBIIQGNpFQeQyMkO2p8bwD/88WJfSe5Ya/z42D1FjBl9T4nFF1Sgm9c3ayGZ6S6f12J09Eolecfbd7OBFDAIeTI4yGKIvOMI3/yWRFoiw1gkkTY194qeAJnBAUAAlXGC/3HvpZ7ASgDP19enm/+8rY4deT0LN5PKTUHeei8KKj+ggZc/CTB9UABBfbdxrJqMw2b6675ZMGurqsh45fGIpsr8xu/TBq/iPpMER72MMGCwXjEXUFpxHXDUz4f0pu6LtV+sdWMcC0dJjx896oGzhYbbMG1+FE9ftwMXk59n4eQJTVZE9pISVYtTPFL82jN61njCw/fNIBtm4Gco3KMuz1NX8hZFiddmy+XQ+ZnOJaUsAl1zWkTdEayRIYTQIGy3xlyMMp+YWZ/Ij+k9neUFRVx+yueFJDjCcnrjicCxVmV8dT+SmYZCkMwkDuXLB3nvwrF8gihrCAu5DrB/J4T3/4WNPVDm0ilLreJqSkqk06mETMFsM/TuASAHL3ar0Levq5CbCUZS4Y+JSXApFKyZIFSWr0YL0HSUjLAzKcRZbwCrFYdpMUUItNS8iaBJKhASiQZQV/QMiQutWNEo1IB6ua91KgQwRJGSLnAJUglZf2B5KDfKC6Rz7JGlqbjar/j4E2FxBrSFehGvecvtTGejPCIFiFyEVdKlxpEaJgmJYBcOJcAaVyhFC31MoFcoDJAhH5Y6laCyWReArByChNRGVEFG5Ug4qaYZAhGsqoSLCUV/uTo91IyhHsVavIQ7u+/rgG+ebsIfPVDDeabvap48ZChoAxIS33hlJVIuiAkUsmW08GwUkS5SgH9chKXxlkgVE7yUvFy+0vLcilYOZUSH5YHWlR7YfSWTaZkUSxTgn8vp6sikHJU1gWzUsdmIa0kYYwtxNitMEqFc71bPG23W+UEMkREYTWsppt4zn+P1O40pmSsbWgSysWYGa9YWTnf7TSWJNePcrUSDJ1ijnztLBFcH6jNMgIudHbvUHLWnMayvzqdZOzNYNTG/0aAIiSQpy04vIjaU5WGXbRGD4zfCaCzgYiOtb2YybzGurr2XC/3p5WKWLmaUICIjnuzKmBYBUSQi4iOS7ARxFEVxue8CooR52r7XcJDfspQCQRTEXarmYeUigXgBDGigNfF8xq1TMpcEhTORgqnJ6s3mgFKIjr3Eoanq1wPSBwcobEaQYOp3RRps/z1x6+yt1Qbv0bL//8Ee7xEB5h4CWIxFpK3vgeHB+fe4N8D7+Do0/FpwUXGEhpgJuZeghPkQSEXY7Wb7XPrYgccSXwg8WUvIoqF3keWM69Bhx2pwX3UVU1BRLC52lCD78H58Xnf+/HzT95PJwf/9A4PTr1P/Yt/9nclrZTHvHLWGyxW5vxgc1pCGvuJkgM+YyPxsoUuyIlYJMpalLwvCrYhw9/BS3CfZKCCIOEFaZwsP4s4yhHLzqskAGY6M0YxZauPHFbZ8ZUdLKmqXVlTk4cmn0YR8kWnxfnLnMAY+8pABDHrNXTJPVDWNY2jzl1MIUAXYpyJqllhZc/vOikg4feioMtpN2FIbSRfgCJU+QzNzuJzWDfodfTH66c7NX8A+9S7juyMYVF/WZ0NrHaLJOgDDWyjt9J7GNb79Fv6aFzxwHcpoKVh9kqfnK2dd279iX4L/kSV26SIN1hZf0SMoAjENEiztyAR5iJ7CSJCBFTue7qbUOthhSYLXT1xqebrnV9d+y9DBPTXko/J1n6eWjbWbD1btpbFvHZxrhorP0pBHTMY3387ZentmpkK+dEbYuGp2/emBue4YIhF+bYeAoJm0dxuLTacMQr3LgVjdUy8NEkQ8yI4R6y4Iy4g+SEkY+QJHCPwn+DVS17CW7iuaiilhdl825zfg4F3/N+fBxe38u8/L87V37PLn6umgZnKZuOp1s//cdNCqsd+ssxD7T8Pz5+/f1rrj7Y7pnSsRlogRmDU82mcpAJ9sv5qp3v6fJX4yPrWdo1zbd4L0AimkdBObPXlddXx7QblrR6JEAcBItphPFrine7AYCohqfoFrHinpFGw8dV34UjpK3C6hS1EeVH21emFNEaZbUvRT+QSv5GrCVOIJWFufVf6TawEoFD3u5JSXED2AA4UCwpne8+7vefd3vOCWme9Sr/jWtOPFpYfmEwRHoeeHOpmP9qZfZDViRUTLnMYraDHukTt37NY4uYHL2ZmGiSUjhA7PjfWUBcoieaX9PiclwFHyh91Bfjp4NBCBgSPTDkt9GXi+SHyJ17Jy3VlDjk6HYCI0kmqj6MCSqyT7ONzoLLbeBgradKoFhu8ZGMfkhB+wYn1k40TFybYpuI5TrpyYy6zG5hqEE7K4THkh1kIBeYqC5zAGOpSFo9s8oPmFuRTi1TuobHsiQejiM7qp+K+wgCCwdEI+8Bgmg2PLWd9+pWX5La8so9cuwxiTrdz9vny/PNlt7Ozs//m15fum+vbnf1fX7qvr2/3roLbX/fcd9e3u1fB7lX3H1fD3f95/b/dzsHhYf/8srLpZwXH2szZ2dv/21V393Zn76X+87f9q+7er2/dd9d5WtZj0v+/Arz69aW7ZxDeyQxvf9CJt++u5FrqqrvbgpV/g1NYtfTy9FVXPVvLDNnB1NbQa7sAsDm2C4DHXgBsDb22hl5bQ68CZGvotTX0Gm4NvUzyqQ29simmsPKtNaKSS8rVu4bf0mQuEGv3LOG/NLJcZKMhpZN8t2qWqibbGkvR2lgeeq6006SdIe3kqOZFMyWq2VBNhHrSMNOfmvmULrHznZ3qsllOTXB6bitMa2pGs5OZncfMFGZmLztx2TnLTFdmlrKTUzYnZVNRYQayE4+db8w0k80uelIpziX5FKJmDq1eMoY000M2K2gVZ+aATPUbjZ8pev1PptaNNjeEyHV3prKLKjrTzEYhKz1s1a/VupmyVZS3qjXXqFaRqsYX1GamLbWSLOjGTCVqTZgrwKLeK6q7opYrKjer04wqM7Jv6W/0VaamTP+VUjK6SKsgo3lyhaP0TEG9WK2iOaigQ4zqyDSGVRRKP2i1kGkDqwOy93IVcVm5PK3Npfdwjv4n36NpgN5kFf9kq3tH7aMc/UVtdRy1J3D0vsfJdi2FX3qv4pi9hqP3Io7dezh6r+HE+Z+8NrtvcPQ+wZF7AkfvARy93nf0+t4prueVYWyNWUAh0pLWaa7RaZJuFhTBYYu9/uQH7iU0WDOI68d0iBhBAnGQ0OAxY7niPDRWMZrrJGtQF9OaSK7qHuQuGQoGK3gb+/VPbauxdLDlaNvqShGyZDU+ZSggvNQmg0QTxKCa74DTiyGBY6R/j6IUEeEOsW5TnnRqzI8imgYuoQFyi0UYHnel0kCuz7GCGv4of3EDhqeISQ6b4kD2eVZpLoywT1UdGeXgjPf02bCrWjCDwg+Lg1//TeUnY0xuXEzUWa4aHUajyDQ8I3wqKPdhFZwwmlAmVLT9Kk4IE0Zv5k0lS3FX2hW5MRIM+7xCbHc8Qa5292iyDNXOVd9tu4ZwuguS3gKx2JgOuCEkQbQwfPUlTmEa1Q2lbKAvNHcqqB4SqQNR2aXpGIsIDl2WkuKXvCRVQ52xmpZcNeARJshVxoZ1JRgvl7pzFUJWGXBhwLYWbX9OLbl6xaFs1jxts7bEgSggaGaQjYFbbr20/jLi7t5CIzzsGQO7bAWRmpPwAvxOjkQe0lD1AcyXF3r0R3AdvKo/paCXk4K14yYOW9uLRZMj08cXi3qvpVuxWOzRViweyXFsWzFqfh/zyFLU4BKttRCVSmvnLrV12VsB/ab6tqo/ywT0ruJDYcPabFF0JO4msiPzm3orgcDJyDM2OC8yexxP16Ahb6ugYVL6XMpukIl24EZGHkNqQY2T6WtTgXfR/6/+4WWxOgZnSylfavFXZwQjnxI1wvWcARPR1duVoBtAHClvYze6nW6ExtCfu3EaCbVl59wcJrgzyiZyb7XGOK56eJy/NtYjqV8HlAf6Hke35vlxW5PEmr6NGI290ivOlvwKZM627z9b9U6XW2yRzCtYetclYLVjqwawTRetCfa92F+36/V9jHGjR+lHnsY3e7hYKqrJn/R21l7s0XbWVv+1lZYlrq4fWV6a/Vq3ZvNSeW0dWbcufStE31TfVvXnHoVomW+FRxaiRofaWzZf7NGWzdV/rdm82df3o7N5k2PvLZsv9mjL5uq/1WzOWRtnKsaplAn2R9RzeZlNuVCgkv1R5PIE+XiEfRP9b3Pv49kjo5gG+tISVB8EKT9BMWcd9cpJd4W3cBgkyeVFmNc+2GnlNWLyAE4j1CCCusfksvo2r+xycx0vINxDJI0Ra/SBVTBPOjodgEXsNXq0+LxOokMy78r/+dTvmgvRrroeV90t5RHzROUZXPyrZm/c5q1cFHjG/46XkpSnMPIiPGSQzT0pOHWUuAwRODnyzi/6J2cHR5nvdoA5SGiSRsr/w3AOoDpZ1s4hik/acYRAgBnyxUYHJajk1f2rkzfpQ0c/VVfapQDOH6234I4IDxMYe2iYjLyQ0trl24mmlMHtcgokZsb66Mfzn9bv3zAZdf04kEg/nv/kfTo412cE/QXBxub1YNaMbqsOUkrQ3BMpMY8ltT+32n4qVHBpUMHO4b/67v7L/Vfu63d7e7vAZM1V3/q9zu0yc+cZg8/HR9ZhU/49xYo2ObToB67KHJ1/nhz/eOhdfj49+PGkP2hDnxjFo0BHMqnV+Oo7oMPfkC/u3aOi1NWqglpnDR9aiXaMCVZu7VY+tTanbOoZcRonJd1tSwGjlPgymz4D9GnMpz7vBi1M3ds+uVYT1CdM8JFydNeqg2TsJZRGnn4JXdfJfGZmiNNoqo6jpQpXhG4MCKJiX/sCTzd6V1r/gPqr04kxQTcxM6+gvzodAgmVPelSNtYQniYJZaKE5b9SOFk62VdpTHUSiVDZkKG8lNF+JQelESbdGOkkSyJIRPdm/mWzN9exsvQNKRfeqHYPIGcN+Vnrf+NKVnKcypmFvtj8KFmV1+U0ZX5BXHpKjvS3EffUxCl7RqeIRXBed33QvtuSaF6Ig6VCZny+aMlS+Tbto/o3oZiIfJPz1VGGZb09s7lRif1i4lUx8bqYeFNMvC0m/lZM/FBMvGujSgkS2iuOtcGvl9PqIkFyh1ylCkT0euLePBYVdo6lc3hzDF/1Dtj23WtW6Pffl3ak1QN6qeisNx2waBNuVESXh1pGu775y42YdyfUKe1Qb28bbNrllsfuc+WmqRi26g6ufdrskuQg2yUkQ0rp1Q3zaXkMK24+Cizw+eJ4/QH+P3d7r1y3jegmoQ2S1P0tGXeca/B/2hFB4KiewSv8e0/+6RZ8F+Td5tTXd9MBVlt1wvU8KX9LZay6R5DwodBdJb7agROZbYMH4LuNTtc+2LvanN5ZRDS5d5P7HNkyQ/m9/b91X3Zfdo0668RUBN10mBKRysYUTvVXj4mHbiR1m7d4/cJ3u5ZVvtLuTe84ZSpeKTJeOS/AlSKk/lUk5ZVmziuSe+KhqrXckOxKuYh3peB/6Mj8FhJAATPIZfYr+PD/2Z9pImsoZ/3pg0x2dLWFWvMDoaviIJlchWG6cq5Xz5rZiKx0A7ZUZO5tyfBNSdB3TyJBchA8TvBoJJfcgtJaFXciK8+ebOl3lvpMyJ6XyNX3SGjPwsZGRLl0A9nifY3xq3vMJ/xEblskZQUPIZu0WqfMvCEmkM0LzmpW82jelcIrYIJmQJelhmdEU6IYVu6p8gw4buOzqrHj9YxRWsMvOM0sf45pgEcmrlrZaWaVqu0WxITzGRZ+qLxPezENmq3yLSqI4RyEcIrAECECdIvMgoCmAtggoRsett3RWl+vkWwbtcfp4rXAGnbbT3eNUONT+j4dTq/FFQ1G6c+IK2qM1VtxxcOaLW+5KOeipnv1Z8NEdbft9TxUytfCKnslJ65BzibbuOdCzrLN3E7FNu7W7N532xvJrSTiVtjK3OFN97cMsrAKyFZhhahHfwfvXvIt++Ts02xK+Fy4p8HEsJ2+Xm1MuJKX1iBqs2nZsyFqvcnZgxCj0QDp+RCj1jDpHoghAq53qsrIIsKkVtJOL48G+my9HHN8Mds93ebJdnUD3CYuFR2NEOF4irzJD7zxhOEATAidkYLxBkgQEUrgxtoPdAi5Ht7Nj1brfHGBr04yFyElHeMke8f5mA7xwIekm8wdiWNPZqZSMTiyqVwwPEGs8nUX7Db4IlK5MPchcV44kwCPlR8OVZQbpkS9R3IYnEwQ584LJ0GYQYG4QeE+TJD5DdNAeXBSWSNssuqw/9x58dUZUjF026h0GuNx/U7+LMbqTZH218tVNLQ89GCIo8DOgusPRXbF//dKqLe611OyJGoa1YLz5MIms+5qsGC0l8gSWR3wNBhygZ1Pg4tdEzgrNYfJo42ioVRvjz4Ap8fn3Bgs9mLOeglkMEay4F7Ruqtwu1S+4Vr50KRVHMYE+hM4Rp52FBMjIlaelp3rLCDPos0OkED+fR7pViwmHnq5dd+2jGtcRScw9kqneY0Hb+cHn558ImzykCEnwgTG3UBfR+aA+ziAW4eGDcdUz4OG9e4U7kjDhz2uujvNm1a0z4HkDa8nVlG8VEiLw50WRd5ldbhA4qaDnmdA4kd4F/mgpG3e5j4D4jY/oltFkyoHr97utih0I0I3b32fA6EbH1o9LE0ad8DPgiZNr3LuQJM/74laAjmfBcsdU1+GyOAByoAfmt9F4wkbtloN/xxAkl3XK2TKNtgu1yy6C91UbclIYXx5G2httKnMa8dA5uJC7VhbEUogjzc+1GkOnKRyDjFxIzxBoFDCGrRoCJ1kq7Dhj8Yh5aKQFojFheQkGjMRdjHdzDo38bG3t+e98XyGBfZhpM0cMOLNu4RDg2ptdW2OBjWyPqXuvkmQrGOMFXnht+W0QrL6OZfYBWARdUipeFbvAB9H+Sx08o/wNLA8d9z3hnGZYDVsHZ+FYNXvHLeCtRWsNQXrqU8RmgWxaZvwDOSwYY/wiGJYak+7k4lHbN1WSfxxlMQmItx0XvX0InyPx1UNp1WPKG5badtKm5G2BkOvrcBtBW4rcI2by0ZDwE3EsflG4emlsflC4amkqO3dxCO2b7uK/eOI+SaC3Hxj9QwEufHCaisoW0F5bEFpvMZ8DoLSdIu5FZStoDyIoFCBiMAw8mZoaMIT6zjHdRJyAGZoCGCSRMYoQBvl5pGJAWXmx8buDBbezVeEwsTiVzFJC4NZGJHFT0MVTrsOmEdkrS2rNtOwue6aTxacxVqtzfilscjmyvzGL5PGL6I+k2QlTLBgMB5xV1Aacd1wG1t2sUu1X2w1OhLtQiYTiXYBzhYbbMG1+FE9ftwMXk59G/12IauOhlubh1ULU/zSPFrzetbQUXVrwbbNIA8u3NbTQ/kFQMFwQvVWh4lXP03wb5PQEcBNQocB14kMxwQE178zZBUaXP9SUbrVTxMkXA9YVpSKa22GpYBsA4ebhIkerlNT+0vHEdfUz4OJ63Sc/yoUa2OL64SJNa9+6yjj6rcNNa4SNt64Spig47ks6ujjubhXg/hn8chLEBWYvASxlWQMaEKV54BJpWQTvLzAstXw/345Fn8xrnkRWK1aRTrPUjo0eJ5cCMaPdBD0XNJtNPQcEpfaYeKjZ+ksUHoGMRHT87QNnZ5BKqksmHoGMlHVs7RljSydxVnPQFnA9QqkWwzAnn+zkdgziAnJnqdLDbJB2nNAoqO15wAbtj2D0FIvbSD3AsBGdM9BJrR7DmDlVBbsvQwblSAq/HuWLMSBz2E2IHwG0ZHh82QWIr4IymLFl4A2aHwRmEWPLwKzMPIFoI4nXwCkpb6YOPB5uiokJuZ8IW2Cz+eQcpU6HH0hiUvjrAPUF5K8VHwesj4HsXIqC2Kfw6q9MHrLJgvx7Qsw/Hs5XRUBG/o+A8xKHdPB8ItJHRVfQdTS08bHL3kR2rHrZ7141PNNbpkGE+iHaF9OUCqgslrqChobz0ZOKERipqvGgj58BY5ym9ZmVTtDTC9mUZxghrwU+t5wnkC+4gVWyQVUDIUfKl+dbJzGiAhubPk+HxwCXRoQyA8J/j1F6p0jJbK/efVAV2/q3Pzdo96FdNxTeg7cU0qOgTsDP2vnj64P/nrz4a87O+ME/Pzx8PP7AR2JGWTo6hP2GeV0JK5+0fWAz4mcwHe75q/eA5aKXb+w/7eVwSmjvvIfu9Tk9EA/urRmpcpVrB0p41f27g8yV9G6wrqyvpiSLrqRwmnbrZItusm9AHOfTlF9wC/jv7PRuXnC79u1ecJL/r2muSGsq/xZuW6Cl/u8J6Wgd7+nMJpzHTs9jx9tIqpnAeHKBS6IdlYam9gHqMD5Te0tQxQlKv3VmZrClMY4h5wjMkbswNZpQ77PAjgNIIrlRAUcP5xIdTXR8egFVyWoE4IZ/JKGrnEuHyzmFDBCJHAZiqlALpJ6C7kcsama8GXJyJ8o96wqYh9BM4Yi7LumhBbMoYJue5AIHKBhOl6umVLJJZAAie4q/LHikkz/CAqGEfUnQH/cyO2/blrXuNqUuOeXFweHfU/9+6m/kb2w7raOD94o+LbbpYgHOg/waSCFU1AACRUhYpu/AG7s8PnZx/5l/78v1dS0DOno4PJgJdLnwcVq+szIBAsve+XsIe7DCK4mlZy77HmMcniKSYB9KCUX0BEwjtT1uQ0dAeNnfc99/fLV6/UpVz2c+VCMhpFM5Ndc4xS9pg9+7p+cmJnn/ODy507BUF/h5cdunaPjwfnJwb8N9lF/8PHy7Nwb9AeD47PTYkbrp73FGkG9s/f8CHs+bfCurFA0u0niJoxOcYACQK2rPaWaQSvXBi0eNtjn5QUnADUvF5Si9Bscy7p+Z3B2+NEbXF70Dz7Zed3v8HRo2CSHqeOoYlItpHNAIuZdxU+damXffQVOhyORJuqIqIUDBgYJp7FcQHiE1j+eOKec42GECriSBZD1fw9SEijfjmqZJZexWaQHjDYQ/Rb+mjOEkj/l7Djlq9MLaYwyJ8fMnKW/yE7uq8f1Jk0T0eg1OaLjchoPF2BD6E/SpASazWZl58r1LqCZs/MPvNvt7DA1taNbhtQq5ZYhGNzKnTVLlXa+DenME/RWD8qtnGBktjlNmXerHNor2K0s3iDtdg3DVOq18sycbueqK3P9tcUsyXxPMwn3KjcvJe65OAQG7R4uaHY2MwSqfRyqR5jppZheYViIutdwrnd3/6AXEUsGF8HAm6RDpF1a1A3sZYhAjqG8Xej4Xr5aOW8wysskudeVdfZ0paqDSqhL0JbdYyhCkMsFz4jWdfBsAOQnFuuZWfZN5tOhMOQ0o9gk4kPXlPQAHj8qNdS59rg4au26g6EAc49DEgzpjac9xtT1/Eg55uB2JbLvvnzz+tX6Hav1hG/58uaHt97b167K7I5J2mv0ju9EeOi7+939d9onvk2/ellJ71XS+5X0q0r6dSX9ppJ+W0n/TaavG5RCfgOgqO2q3YjLgqEsQYPkXqVVEG47XlPkleJnlxWsRLIB9rJd98axaVaq2noNWzfUq4MeaPLIX5COzK8FGle44T7IO8ZcsLnHUjJB86XT2AG4MNhAY+ekbj2tLTng4Eh0bXO6si0Fzde5uvr5Y//f3snZ4cGJ9+ng8Ofj0/7V1eDsp8tfDi76V4WTH3v0c3V1mDK5l/8XYrKCq6uLlGi63lNhlPhoaYH2WOrqFzp7+/rV/ikNUOvS25W8WBg4vVws71JFx4ERGCjGuLo61vcTy4v6ptrVfjSepm39m7uIoznLaSOWA42a5bXC+VQyeVfimPbzs3UGcEl5rcgdwbkHhYD+RHneW37km4UNg8IPETce+VQhQBcCCu771iJ4zSnvV6dzjgQW51TA2OyAL6hcJkuIoAb0MxWl9H+l2J+XIL+lXHiBj7wiBshRHEaFPkoGjoba1CChNBrAOImQBV0gnlC56TWAr06Hx0NFi5tOfZqIKC4BVNQEW3/BgKB8oXBMpnSC3EsoEKuUXC3YpP0YAR4PC1/fn16efArzIwVTZpGuLbglHaKUL2eR7Ggwu5VRzGLyyiVJoG2a5Op5JO6HXyoEg5yhhFGYhcLoGW3yfsKGYmyh6saiF6U4eP/SjsgEsSEqZtVrKEqiOegljI5ZxoKJEKAnsD9BFhfHCWKcEihQyrOxYoigWQUT8okYC9AroIWQTREXoKc8NU5hZIf6dVrB4yHoWZcdBjimUYAI6EHE99+8tTlxNEUsz+x09CC0G2riexGCk7k3qlW6l6VoFkOG4ISmwu4WXrv7e2/33+pTz1RtBkfp6nFuXIj6YYBZdV/E57w34j1fGSvoOG45mvzHmIrqMzmN9QKYX/tNfjXkalX2vtvm4ExSqeiHp4lSEtEGBdGh74wLHuX1kFDicgFJAFkAZvB+7PJqTzmyY4eU+NnJAF+ADDNzTVfBaw6s1vcq+ScwW/2znRRxOEJDSsVKWRgYxHyt9nCLNOWGuGEl9e/BZf9Ttng6pEQwGg2QXE/p31dXsqk/UtrCiyz3QyQ33oEnIJ/owLGN90EZMpDIShm03abfdRY0axk5E/ihrI0X7wpK3pp1E1poPI6U7vEMhofIiDJfuXOtHe/+iUQHBTSg3TlpD0ymnpVdb1R4pj1dU0HXFK6NA+T+hXM8VZJh62q6Ptd3Jx/kxPlj//DsU98dfD487A8GrahCOBZ4ijzBoI/JittizIHBK7pLTjJzA8oA52Gg7FkSe/FSWDnJhUteyRpU22m+B+33P66+Ue33P66+Ue33P34eXOjTG42k/kVdVAzgbAdCHZllpgZBNFVjFk3NoSCMg7evHeUMTBYif431eU8UBcP2xz12W8kFrY0ZrJcMvsjtWiQmgDbj+jRfvEl0ssrqw9nLmtus1ZRddJro/VtjyGeDVTDakeylpr+cC8HCdfb66qjSV129UkkLOsh0+Gf8G/QnspfnUIT2MvQz+T2lAgVmWys/mS9mO3p0cqJzGvAnNaXIYkyWH81bocXvVhlfQm5zH9EYYvLP8/Pz8hL7EErkErzN0KAo8kIsVczcC1CERMMZhjJI+1kjKt14VEJeg+FKD/vUOEhdz5zuzq/BEH4Z4esOD3d3bOt2/+rsNgmklMh8GVRYKN2VAnweN72EPAB8Hg9phH3likZxpzbTCwtUsdfNArIxUp7/VdRakraIRt7SCCsi9eLY7ZiG6GWUrfbONLDWpI/FB6vO8Fdcl1ZO61ewUPMlvL5312tSeyHftAX7AJzM5rYldRNGZQGrV6CKwAa7tBfblMINd5UdU1ex570O84u38IW4RctvWHZbXfHxCE8R8/x9D8cqyvt6Rza6GODvA1PMSgqtmhJKa85T2r/BAnQWpwP1+dDY7zR9//WQEk4jdP3+/VkqklT0iU8DTMYffr1EN6L7+fKnHyzo+v17mWyzkuOhZ93hosCboPkSR5mDwc/5Tl6iPt5j1IK7QpKHDqm0XOqpCmjfhi5p8rCpb9I5D8uyWgJZi5cM+tDe+etHpcHL4pOOSua7bt1RqXfPeD+j8sSe+upGsWk18ISDWFk03XkMG7wprDmEpaa1c9O3Zk138T9eN5RNrtqecCg3W/rUFLU+VzS4nHrCsWpw9LUdrgcdLrCZt6i6wWx2E/WEY1l0xbTeEDQ6mFpzEKqatJWzqDXr2lQ+mx0GPeGQLpwn3HlIG10NPRWZG93NPCWZC25m1iRzk6OaRyIzFvosUpvi6oh0dUQ2d8iFcHn2zcBcv+Uksjgwoyxen85LTiO6CSPjKimKMI2lm9irQy5/qtnR32kSa0HcyPMRE/qEA3kCxglimIyX7VFPQCFLlY91CeZN0vpEvnskByT8HudRT7aNl95ZJBP8rHwdPcBN6uIuuWZnXN04/2UpJb77ULzNT9VrX9eHbnHsnboi6i6o77Wwb3aM6p9RGvOQVmdJzdLaeHbx1NLaHFjwzy6tj3J6spXuxxrTh5Pu5qX70wr3krh0K2S7VE67Q6gWpf6RNUZjj+4mfGC1AN57gX8omtdLdbuNTJN8Nx90Pql8N208Vh+WLQuX2lqGtzPYY/N7O15fl8Mbj4e3TA62TP7MmBxsfKzeJArLDtefVBKWR3S+44Ku1Vl4i3L/yEu6rew/NsXbyf46Ur3sfuVppXpp+PCS9G2l7b4E5F4L+2Yp/oDStuSa7YmlbVlg+q20PYiA3Gth3yzFN5a2NKCIcS+hEfZz/whLLgJ1BqAzSDFCDXfaStpoKoC9X273HqRR/JydKwLq7gI/fABXRtR0466cXXBF1rAgbc0mV2U+uXJegKsyp1RALIkrkEVuqSAQnaVYl+SYCtY8tQVbrikgVPjmyrnehCOaLpuejCPaX0B9sA6wTO+cZ2bS2kDzxtXlMyR5Zb25QPES9vLD/2WjtTYtG49bn46WrwvE3MDeo+SjvcnzW0bKRT9Y3/IMeHc+WHIS83Sc0P50ZqVcLT2DeRDJWrILfoYUXdgZPwxNmvcqz5Em1f3LqvnyafTH4/jdWDbYOPBkl5c/hINg8Pn4SI9sMdbE+iO3w5FIcVB48n57CwxMghRsd3E3oNe0YOAdqxbJuWIBJyuy+MW62F61kRuqICoBbbOs5An2MU25N8SCwyDGpPmV+UEBH2T4mTPuhwwIIbGzGpe+M4dBILPpA+zM98UL7ayJpzFqx1MZXTIO9vwIN0bny70lxZDAsXaGYSLxlUObKKdAGfpKErV1OYBJ9o5bSpXy2ysibbWa351oBmoRKqBAgCCKmq18j6IIyI8CESAogEUOyex9V3ZyCR/oASxywlfgdLpBpP0qFD9rIfgKnMP3BZ98A+WH4dX+1VWrjXfWbSICLgewWRwGeVcVDqAjYHNt0uUa1rfFLuV8iVRh+ztxulKkS3XoBfIREdE8G3LK8nlRZtfq9e6KoFnH7qxQnYsTn26QfiTuySkU/Cd49ZLvZmTLSatkoe3xgnYaH0ABAzrW8VB6KB6iIECBnlltPJRViNo1iJswOkSt8JGfMizmbusaTH/aZ1COV5aiZz2s72cPJnFPRwnpwVRQE2XEW3Q9Frgh5cLNYsjVfMsUVhNWPUJ9oy3Ej1IuELNhcVZLhhqloOR0oPkE7sA6kXnyZWOTUb7arOk+mb+l6AhLPqsl58KnP/ih+d3PKdflqIYTvOfEUfWG41uOujNHPfWRZh0HLnHa80wYsOHW/P75r1RtO1vo+2/EH1oI1mPRpmPiZ8Oi92+6uOWrR+Cr5mPnZ8NZzaaA988hVfXXynLw/puxZdQFRm0+zX8+jNpo3bblkMfgkMa7jWfEIU0WWVsOuV8OEZAtP8m7hAxA5od4ilq7qG5xFJ1fU9nuCciWxNJUNTsvHL/FeYwQc0+7g8TEqx6gVxleOYJUoVghuLz898McwRcYvUICxdc6AmUAeei8KHBjgbkWPw1VJNA6oIAC+25jWbWZhs1113yyYFfX1ZDxS2ORzZX5jV8mjV9EfSYpFZhgwWA84q4KgqobnvL5kN7Udan2i61mhGvpMOHhu1c1cLbYYAuuxY/q8eNm8HLq+8rVck3WhDZSklULU/zSPFrzetb4wsM3DWDbZlDy+SoFtv6YfY0LKZESgiJPMDgaYd+il1SawsBkDJRndSbAiLIZZIEK1m0dY5uca0j7zk7ZlXCCp1QQ6PvYyYP72I9jykXZ5XJV951IRX8o/7lwrndlCYXyFQaXwwDkn6pf+0pRFxJNlXck/5ktYis85uzs7L/59aX75vp2Z//Xl+7r69u9q+D21z333fXuVbB71f3H1XD3f17/r3MNqi2SneI8TIWIkLOsMer6UYdul7/UybyKrk8Wu6kKpT4UCyWaBnc7O5eH56/dk+PBZf/0/e3g7PDjQEW5raUYpgEmqlr9SxkYBITLGl4AJ4SE279uOkyJSGUy0bzlkrEm90j+eZUwejOXv8iY0UltGP28Yq1NgROYv+aP/ldrMuCYP1/0n4n+o/TP9eoZPeWIefbpmxDzOgk40LGZi660pxgCSIAKOwR9Iad7rhl6fUGou3mWFcNA0ZugmUxpJ1ZBIH8XIlMUlEL7q7dvZYVWt9DJrg+PWqxx1CgbT/ItRtlgPuooB0iJdICiP9PIrhw5c5/vqcDcNFYGI4YA9YNYQNQh7qnQEUCieft781VWBBULgZuY4XHHmAgkqZswTBkWNrJcoKKbuRGaIhugjEES0PjG3RsP3QSOszALXDAo0vg/hJ9UIJxHZcjeItLeItb+ItZ+AYtgHxUi3M0RT+gMsTYWDrMYeyqYPiZjvYGoGxDrkTzbJEiZ+uXT8cZDUBahr45qt2pGR2584kDZdNRNL3lOWc8vMT5n00FfoTd0+v8GAAD//1BLBwjjxgVjFjQAABSDAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA0AAABjdXN0b20ucG9saWN5zI9Ba9tAEIXv/hUP91zHplWNBTkY2kMPaUPIPYy1I2va1Y7YGVnWvy+yHAglUJpTrsP33nzvA77f3f98eNz/eCzxLYgbXOGNGGqJjEFiRFLHgZG5jlw5B0iCN4yv5BT0iH3XgVKY4QNDT5yHLO6cMIg3SDyg0yjVOLcGHVJUCrbCfWQyRqtB6hG5j2yv1deaUfcxou5T5aKJovi4Wpw4m2gqsSy2X7bLxaWgXADAR0go8UApaJuo5csRCGxVls7n1PJ6rSU652tyTqvh9hbLKKk/P2N87jLb/FE7Tqtpzmpqv7Ds1Y01FHS46chs0Byek0GMDpFDiZqi8QvDdnyiIyd/mtxfk7wbsZ8AvADe4Mtnrv7ytebfes7mv+hER3aqrPUmM7ldjCefzN7nZPo7s3WajDfbzabYFZ93n97nFh+7q9B/LFoX6/VuW7yXRX8CAAD//1BLBwgtbaydVAEAALYDAABQSwECFAAUAAgACAAAAAAA48YFYxY0AAAUgwEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALW2snVQBAAC2AwAADQAAAAAAAAAAAAAAAABSNAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADhNQAAAAA=" + "size": 23004, + "text": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA=" }, "cookies": [], "headers": [ @@ -48,8 +48,8 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:49.947Z", - "time": 166 + "startedDateTime": "2025-04-01T14:30:59.241Z", + "time": 193 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/frozen.json index 22f2f3ac9a31..80817991b444 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:50.126Z" +"2025-04-01T14:30:59.438Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/recording.har b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/recording.har index 2c63c9b6df45..306b2b07420d 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response_2915330901/recording.har @@ -21,18 +21,18 @@ "value": "application/yaml, application/json" } ], - "headersSize": 569, + "headersSize": 568, "httpVersion": "HTTP/1.1", "method": "GET", "queryString": [], "url": "https://api.datadoghq.com/api/v2/security/cloud_workload/policy/download" }, "response": { - "bodySize": 129079, + "bodySize": 131981, "content": { "mimeType": "application/yaml", - "size": 129079, - "text": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1713895070226'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n" + "size": 131981, + "text": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1743517859524'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n" }, "cookies": [], "headers": [ @@ -41,14 +41,14 @@ "value": "application/yaml" } ], - "headersSize": 695, + "headersSize": 694, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:50.140Z", - "time": 363 + "startedDateTime": "2025-04-01T14:30:59.440Z", + "time": 319 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/frozen.json new file mode 100644 index 000000000000..4af33119fb8f --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/frozen.json @@ -0,0 +1 @@ +"2025-04-15T09:10:08.098Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/recording.har new file mode 100644 index 000000000000..f8cf9fdb4f88 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response_2775047112/recording.har @@ -0,0 +1,162 @@ +{ + "log": { + "_recordingName": "CSM Threats/Update a CSM Threats Agent policy returns \"Bad Request\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "b2969d2285e549371c5e69b0b4dd2cdd", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 192, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 472, + "content": { + "mimeType": "application/json", + "size": 472, + "text": "{\"data\":{\"id\":\"pp8-iw5-agt\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708208235,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-15T09:10:08.101Z", + "time": 539 + }, + { + "_id": "650099411ff91bfa4706321ef39f0234", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 172, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 608, + "httpVersion": "HTTP/1.1", + "method": "PATCH", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"pp8-iw5-agt\",\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt" + }, + "response": { + "bodySize": 49, + "content": { + "mimeType": "application/json", + "size": 49, + "text": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 400, + "statusText": "Bad Request" + }, + "startedDateTime": "2025-04-15T09:10:08.644Z", + "time": 202 + }, + { + "_id": "f0b0524429952cdc71eed76275cc04bd", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-15T09:10:08.850Z", + "time": 546 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/frozen.json new file mode 100644 index 000000000000..044d9ffe193f --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/frozen.json @@ -0,0 +1 @@ +"2025-04-01T14:31:00.854Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/recording.har new file mode 100644 index 000000000000..d89df5324e73 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response_3584252671/recording.har @@ -0,0 +1,67 @@ +{ + "log": { + "_recordingName": "CSM Threats/Update a CSM Threats Agent policy returns \"Not Found\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "53c2d138ea8fe494db009481f45b660f", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 157, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 619, + "httpVersion": "HTTP/1.1", + "method": "PATCH", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[],\"name\":\"my_agent_policy\"},\"id\":\"non-existent-policy-id\",\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/non-existent-policy-id" + }, + "response": { + "bodySize": 49, + "content": { + "mimeType": "application/json", + "size": 49, + "text": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 216, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 400, + "statusText": "Bad Request" + }, + "startedDateTime": "2025-04-01T14:31:00.864Z", + "time": 121 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/frozen.json new file mode 100644 index 000000000000..80fd906eb251 --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/frozen.json @@ -0,0 +1 @@ +"2025-04-15T09:10:09.401Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/recording.har new file mode 100644 index 000000000000..1e8a1fd5ddda --- /dev/null +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-policy-returns-OK-response_2370796006/recording.har @@ -0,0 +1,162 @@ +{ + "log": { + "_recordingName": "CSM Threats/Update a CSM Threats Agent policy returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "1fb5c500dfb92425cd6556ea5193a93b", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 184, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 464, + "content": { + "mimeType": "application/json", + "size": 464, + "text": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708209551,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-15T09:10:09.404Z", + "time": 513 + }, + { + "_id": "dece40303b3e2573dca54114f43a268e", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 173, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 608, + "httpVersion": "HTTP/1.1", + "method": "PATCH", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"99n-cjh-wuo\",\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo" + }, + "response": { + "bodySize": 434, + "content": { + "mimeType": "application/json", + "size": 434, + "text": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708210164,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-15T09:10:09.922Z", + "time": 708 + }, + { + "_id": "28e61e7ed20c905afde76eaf56075e7a", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-15T09:10:10.647Z", + "time": 541 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/frozen.json index d7ed78e95c91..4fd4675dfe49 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/frozen.json @@ -1 +1 @@ -"2024-05-28T19:38:08.047Z" +"2025-04-15T09:10:11.192Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/recording.har index cf46937517c3..3b0ffa435b66 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response_400928944/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "f62fa329b7d7f3c439455f1d7d83ff69", + "_id": "11c0a11685112ec419e000da0df22c67", "_order": 0, "cache": {}, "request": { - "bodySize": 205, + "bodySize": 190, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 470, + "content": { + "mimeType": "application/json", + "size": 470, + "text": "{\"data\":{\"id\":\"1i5-k3r-2dg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708211304,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-15T09:10:11.210Z", + "time": 380 + }, + { + "_id": "f04fc9f733c8f9204e1df0f3edfee6c9", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 284, "cookies": [], "headers": [ { @@ -32,7 +85,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" @@ -42,7 +95,7 @@ "content": { "mimeType": "application/json", "size": 520, - "text": "{\"data\":{\"id\":\"0wn-l36-875\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716925088306,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088\",\"updateDate\":1716925088306,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + "text": "{\"data\":{\"id\":\"qtl-8mk-8gy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744708211716,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"updateDate\":1744708211716,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -57,15 +110,15 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-05-28T19:38:08.254Z", - "time": 648 + "startedDateTime": "2025-04-15T09:10:11.594Z", + "time": 707 }, { - "_id": "093c028966a7d4d4e415092f0a75ee45", + "_id": "e52d38b80b4382d90ebf96069dc20eab", "_order": 0, "cache": {}, "request": { - "bodySize": 146, + "bodySize": 203, "cookies": [], "headers": [ { @@ -85,17 +138,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\"},\"id\":\"0wn-l36-875\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy" }, "response": { - "bodySize": 211, + "bodySize": 47, "content": { "mimeType": "application/json", - "size": 211, - "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}" + "size": 47, + "text": "{\"errors\":[{\"title\":\"failed to update rule\"}]}\n" }, "cookies": [], "headers": [ @@ -104,17 +157,59 @@ "value": "application/json" } ], - "headersSize": 217, + "headersSize": 216, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2024-05-28T19:38:08.909Z", - "time": 164 + "startedDateTime": "2025-04-15T09:10:12.306Z", + "time": 156 + }, + { + "_id": "a69cd5fd0e07d6d2a98b3dc95cae8960", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 545, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-15T09:10:12.466Z", + "time": 780 }, { - "_id": "3fee0144947347d25c7babbbf617da0b", + "_id": "1346db6d9d2d5b3a73df39a434f3cce3", "_order": 0, "cache": {}, "request": { @@ -127,11 +222,11 @@ "value": "*/*" } ], - "headersSize": 546, + "headersSize": 543, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg" }, "response": { "bodySize": 0, @@ -152,8 +247,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-05-28T19:38:09.079Z", - "time": 403 + "startedDateTime": "2025-04-15T09:10:13.249Z", + "time": 559 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/frozen.json index 61908ca94b34..b37482c921d7 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:51.488Z" +"2025-04-01T14:31:02.941Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/recording.har index d2221c8135a0..c846364cb238 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response_3853715143/recording.har @@ -8,11 +8,11 @@ }, "entries": [ { - "_id": "7807b5a597b5187bb0a377a5ae8ad078", + "_id": "a5b4f0f5921d1238a3ba7be467925bdd", "_order": 0, "cache": {}, "request": { - "bodySize": 149, + "bodySize": 188, "cookies": [], "headers": [ { @@ -26,16 +26,69 @@ "value": "application/json" } ], - "headersSize": 611, + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 468, + "content": { + "mimeType": "application/json", + "size": 468, + "text": "{\"data\":{\"id\":\"jnw-szj-ssb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517862965,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:31:02.943Z", + "time": 475 + }, + { + "_id": "01c1270a1be6f0b0dc98f31d16c15991", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 202, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 620, "httpVersion": "HTTP/1.1", "method": "PATCH", "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"abc-123-xyz\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"jnw-szj-ssb\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id" }, "response": { "bodySize": 47, @@ -57,8 +110,50 @@ "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-04-23T17:57:51.493Z", - "time": 140 + "startedDateTime": "2025-04-01T14:31:03.422Z", + "time": 300 + }, + { + "_id": "4f00a455c4194dd26a08813d14665dd0", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 543, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jnw-szj-ssb" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:31:03.728Z", + "time": 267 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/frozen.json index 2805f7057386..863af66d33bb 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/frozen.json @@ -1 +1 @@ -"2024-04-23T17:57:51.647Z" +"2025-04-01T14:31:03.998Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/recording.har index 6a73b92c1f52..bb9e708d6d23 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-CSM-Threats-Agent-rule-returns-OK-response_2793812990/recording.har @@ -8,11 +8,64 @@ }, "entries": [ { - "_id": "471eb78b7cfd2f704ae3f2883a04f580", + "_id": "0c3fda991c431b08836a391d182a1d50", "_order": 0, "cache": {}, "request": { - "bodySize": 197, + "bodySize": 182, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 595, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\"},\"type\":\"policy\"}}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy" + }, + "response": { + "bodySize": 462, + "content": { + "mimeType": "application/json", + "size": 462, + "text": "{\"data\":{\"id\":\"evg-ugc-rb3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517864028,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 217, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-04-01T14:31:04.000Z", + "time": 359 + }, + { + "_id": "a3be84667def08ce24bed8ef3fb00988", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 276, "cookies": [], "headers": [ { @@ -32,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" }, "response": { - "bodySize": 456, + "bodySize": 512, "content": { "mimeType": "application/json", - "size": 456, - "text": "{\"data\":{\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895071711,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\",\"updateDate\":1713895071711,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 512, + "text": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864391,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517864391,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -57,15 +110,15 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:51.652Z", - "time": 491 + "startedDateTime": "2025-04-01T14:31:04.364Z", + "time": 597 }, { - "_id": "d0c38981b717ce2d3ca5a0603acce280", + "_id": "b034f20b0de9d90d4bc81f6b2418a850", "_order": 0, "cache": {}, "request": { - "bodySize": 151, + "bodySize": 193, "cookies": [], "headers": [ { @@ -79,23 +132,28 @@ "value": "application/json" } ], - "headersSize": 611, + "headersSize": 633, "httpVersion": "HTTP/1.1", "method": "PATCH", "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[]},\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\"}}" }, - "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm" + "queryString": [ + { + "name": "policy_id", + "value": "evg-ugc-rb3" + } + ], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4?policy_id=evg-ugc-rb3" }, "response": { - "bodySize": 458, + "bodySize": 512, "content": { "mimeType": "application/json", - "size": 458, - "text": "{\"data\":{\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895071000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\",\"updateDate\":1713895072276,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}" + "size": 512, + "text": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517865118,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}" }, "cookies": [], "headers": [ @@ -110,11 +168,53 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-04-23T17:57:52.156Z", - "time": 441 + "startedDateTime": "2025-04-01T14:31:04.967Z", + "time": 595 + }, + { + "_id": "eebe739e597aa7ad2ae55b6070b7c5a1", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 545, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "application/json", + "size": 0 + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 196, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-04-01T14:31:05.565Z", + "time": 465 }, { - "_id": "6111ac835a6e0dab01fb7ef0e9c6b924", + "_id": "0c78cd956f6998e1e8cd000071236304", "_order": 0, "cache": {}, "request": { @@ -127,11 +227,11 @@ "value": "*/*" } ], - "headersSize": 546, + "headersSize": 543, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm" + "url": "https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/evg-ugc-rb3" }, "response": { "bodySize": 0, @@ -152,8 +252,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-04-23T17:57:52.614Z", - "time": 315 + "startedDateTime": "2025-04-01T14:31:06.033Z", + "time": 291 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/frozen.json index a48f4be5e46a..98680f11e9d0 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/frozen.json @@ -1 +1 @@ -"2024-05-28T19:38:09.490Z" +"2025-04-18T09:10:14.669Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/recording.har index 38f2c34ba5bf..e705d3de20f0 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response_1212149568/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "a135c5ab5ca5e21838b2ea5530f3a5c9", + "_id": "6117d741146f754562accea7ec42f4ff", "_order": 0, "cache": {}, "request": { @@ -26,13 +26,13 @@ "value": "application/json" } ], - "headersSize": 625, + "headersSize": 626, "httpVersion": "HTTP/1.1", "method": "POST", "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" @@ -42,7 +42,7 @@ "content": { "mimeType": "application/json", "size": 696, - "text": "{\"data\":{\"id\":\"qdg-dfm-kku\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925089625,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925089625,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"defaultRule\":false,\"enabled\":true,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" + "text": "{\"data\":{\"id\":\"03s-ro8-kgi\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414924,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414924,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -57,15 +57,15 @@ "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-05-28T19:38:09.492Z", - "time": 165 + "startedDateTime": "2025-04-18T09:10:14.672Z", + "time": 300 }, { - "_id": "f29f2542be39334fdc8b2ad205b681c8", + "_id": "8b083a0f780e6fec489c57490e757c7e", "_order": 0, "cache": {}, "request": { - "bodySize": 146, + "bodySize": 139, "cookies": [], "headers": [ { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\"},\"id\":\"qdg-dfm-kku\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"03s-ro8-kgi\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi" }, "response": { - "bodySize": 223, + "bodySize": 218, "content": { "mimeType": "application/json", - "size": 223, - "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}\n" + "size": 218, + "text": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n" }, "cookies": [], "headers": [ @@ -110,11 +110,11 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2024-05-28T19:38:09.662Z", - "time": 252 + "startedDateTime": "2025-04-18T09:10:14.977Z", + "time": 329 }, { - "_id": "12b5b1ee2dbbabf1ccfc539561fe7778", + "_id": "253a3c816e61cec10cb225fbb073e320", "_order": 0, "cache": {}, "request": { @@ -127,11 +127,11 @@ "value": "*/*" } ], - "headersSize": 573, + "headersSize": 574, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi" }, "response": { "bodySize": 0, @@ -147,8 +147,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-05-28T19:38:09.918Z", - "time": 134 + "startedDateTime": "2025-04-18T09:10:15.311Z", + "time": 209 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/frozen.json index 8f89e93024b1..5ee511e75d7a 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/frozen.json @@ -1 +1 @@ -"2024-05-28T19:38:10.057Z" +"2025-04-18T09:45:20.422Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/recording.har index bebb985ae717..fac86e85b4f4 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response_2338204855/recording.har @@ -8,11 +8,11 @@ }, "entries": [ { - "_id": "7edac9ea36b8deb46f4ba1e4b54dd869", + "_id": "f6805e0015e4871e20ec52d323b5f750", "_order": 0, "cache": {}, "request": { - "bodySize": 151, + "bodySize": 159, "cookies": [], "headers": [ { @@ -26,23 +26,23 @@ "value": "application/json" } ], - "headersSize": 638, + "headersSize": 648, "httpVersion": "HTTP/1.1", "method": "PATCH", "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"abc-123-xyz\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id" }, "response": { - "bodySize": 72, + "bodySize": 25, "content": { "mimeType": "application/json", - "size": 72, - "text": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n" + "size": 25, + "text": "{\"errors\":[\"Not found\"]}\n" }, "cookies": [], "headers": [ @@ -51,14 +51,14 @@ "value": "application/json" } ], - "headersSize": 654, + "headersSize": 631, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 404, "statusText": "Not Found" }, - "startedDateTime": "2024-05-28T19:38:10.060Z", - "time": 154 + "startedDateTime": "2025-04-18T09:45:20.636Z", + "time": 332 } ], "pages": [], diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/frozen.json b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/frozen.json index 4cc68f0599ab..2fa66d30e62c 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/frozen.json +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/frozen.json @@ -1 +1 @@ -"2024-05-28T19:38:10.219Z" +"2025-04-18T09:10:15.690Z" diff --git a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/recording.har b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/recording.har index 61dc97e7f1ed..21f30619ecb3 100644 --- a/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/recording.har +++ b/cassettes/v2/CSM-Threats_3156990395/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response_925510030/recording.har @@ -8,7 +8,7 @@ }, "entries": [ { - "_id": "756706f9ee44e12960171c348b77b175", + "_id": "54f8bc31f520cf8cabba6e785e33b5c4", "_order": 0, "cache": {}, "request": { @@ -32,7 +32,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\"},\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\"},\"type\":\"agent_rule\"}}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" @@ -42,7 +42,7 @@ "content": { "mimeType": "application/json", "size": 688, - "text": "{\"data\":{\"id\":\"wmz-xld-san\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925090332,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925090332,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" + "text": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416010,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -51,21 +51,21 @@ "value": "application/json" } ], - "headersSize": 655, + "headersSize": 654, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-05-28T19:38:10.221Z", - "time": 146 + "startedDateTime": "2025-04-18T09:10:15.692Z", + "time": 363 }, { - "_id": "d6b91df8ed14c69cd2f70fe430881561", + "_id": "699d0e12aa4538225218e33c74419e60", "_order": 0, "cache": {}, "request": { - "bodySize": 151, + "bodySize": 139, "cookies": [], "headers": [ { @@ -85,17 +85,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"wmz-xld-san\",\"type\":\"agent_rule\"}}" + "text": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"szj-quo-wak\",\"type\":\"agent_rule\"}}" }, "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak" }, "response": { - "bodySize": 690, + "bodySize": 693, "content": { "mimeType": "application/json", - "size": 690, - "text": "{\"data\":{\"id\":\"wmz-xld-san\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925090332,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925090525,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" + "size": 693, + "text": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n" }, "cookies": [], "headers": [ @@ -104,17 +104,17 @@ "value": "application/json" } ], - "headersSize": 655, + "headersSize": 654, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2024-05-28T19:38:10.372Z", - "time": 190 + "startedDateTime": "2025-04-18T09:10:16.063Z", + "time": 256 }, { - "_id": "b914031cdd6d49b85b9e976786e1d09c", + "_id": "f0e156b54936979ea78180a7393794af", "_order": 0, "cache": {}, "request": { @@ -127,11 +127,11 @@ "value": "*/*" } ], - "headersSize": 573, + "headersSize": 574, "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak" }, "response": { "bodySize": 0, @@ -141,14 +141,14 @@ }, "cookies": [], "headers": [], - "headersSize": 602, + "headersSize": 601, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 204, "statusText": "No Content" }, - "startedDateTime": "2024-05-28T19:38:10.568Z", - "time": 124 + "startedDateTime": "2025-04-18T09:10:16.322Z", + "time": 233 } ], "pages": [], diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.ts b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.ts new file mode 100644 index 000000000000..83753ba2ba0b --- /dev/null +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.ts @@ -0,0 +1,31 @@ +/** + * Create a CSM Threats Agent policy returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +const params: v2.CSMThreatsApiCreateCSMThreatsAgentPolicyRequest = { + body: { + data: { + attributes: { + description: "My agent policy", + enabled: true, + hostTagsLists: [["env:test"]], + name: "my_agent_policy", + }, + type: "policy", + }, + }, +}; + +apiInstance + .createCSMThreatsAgentPolicy(params) + .then((data: v2.CloudWorkloadSecurityAgentPolicyResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts index f52497673ff3..cd0e0053c8ba 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.ts @@ -7,6 +7,9 @@ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.CSMThreatsApi(configuration); +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = { body: { data: { @@ -14,8 +17,10 @@ const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = { description: "My Agent rule", enabled: true, expression: `exec.file.name == "sh"`, - filters: [`os == "linux"`], + filters: [], name: "examplecsmthreat", + policyId: POLICY_DATA_ID, + productTags: [], }, type: "agent_rule", }, diff --git a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.ts b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.ts index 11371da96b9c..a2c40dd91d26 100644 --- a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.ts +++ b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.ts @@ -11,9 +11,10 @@ const params: v2.CSMThreatsApiCreateCloudWorkloadSecurityAgentRuleRequest = { body: { data: { attributes: { - description: "Test Agent rule", + description: "My Agent rule", enabled: true, expression: `exec.file.name == "sh"`, + filters: [], name: "examplecsmthreat", }, type: "agent_rule", diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.ts b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.ts new file mode 100644 index 000000000000..481286f15576 --- /dev/null +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.ts @@ -0,0 +1,24 @@ +/** + * Delete a CSM Threats Agent policy returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + +const params: v2.CSMThreatsApiDeleteCSMThreatsAgentPolicyRequest = { + policyId: POLICY_DATA_ID, +}; + +apiInstance + .deleteCSMThreatsAgentPolicy(params) + .then((data: any) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.ts b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.ts index dc6e5019ed78..b91977e5c056 100644 --- a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.ts +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.ts @@ -10,8 +10,12 @@ const apiInstance = new v2.CSMThreatsApi(configuration); // there is a valid "agent_rule_rc" in the system const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string; +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + const params: v2.CSMThreatsApiDeleteCSMThreatsAgentRuleRequest = { agentRuleId: AGENT_RULE_DATA_ID, + policyId: POLICY_DATA_ID, }; apiInstance diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.ts b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.ts new file mode 100644 index 000000000000..27a796ae18be --- /dev/null +++ b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.ts @@ -0,0 +1,24 @@ +/** + * Get a CSM Threats Agent policy returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + +const params: v2.CSMThreatsApiGetCSMThreatsAgentPolicyRequest = { + policyId: POLICY_DATA_ID, +}; + +apiInstance + .getCSMThreatsAgentPolicy(params) + .then((data: v2.CloudWorkloadSecurityAgentPolicyResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentRule.ts b/examples/v2/csm-threats/GetCSMThreatsAgentRule.ts index d8a58f3a4fbf..6372a91cf587 100644 --- a/examples/v2/csm-threats/GetCSMThreatsAgentRule.ts +++ b/examples/v2/csm-threats/GetCSMThreatsAgentRule.ts @@ -10,8 +10,12 @@ const apiInstance = new v2.CSMThreatsApi(configuration); // there is a valid "agent_rule_rc" in the system const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string; +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + const params: v2.CSMThreatsApiGetCSMThreatsAgentRuleRequest = { agentRuleId: AGENT_RULE_DATA_ID, + policyId: POLICY_DATA_ID, }; apiInstance diff --git a/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.ts b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.ts new file mode 100644 index 000000000000..2ff573fae029 --- /dev/null +++ b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.ts @@ -0,0 +1,17 @@ +/** + * Get all CSM Threats Agent policies returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +apiInstance + .listCSMThreatsAgentPolicies() + .then((data: v2.CloudWorkloadSecurityAgentPoliciesListResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.ts b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.ts new file mode 100644 index 000000000000..ed2827fe4db1 --- /dev/null +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.ts @@ -0,0 +1,36 @@ +/** + * Update a CSM Threats Agent policy returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.CSMThreatsApi(configuration); + +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + +const params: v2.CSMThreatsApiUpdateCSMThreatsAgentPolicyRequest = { + body: { + data: { + attributes: { + description: "Updated agent policy", + enabled: true, + hostTagsLists: [["env:test"]], + name: "updated_agent_policy", + }, + id: POLICY_DATA_ID, + type: "policy", + }, + }, + policyId: POLICY_DATA_ID, +}; + +apiInstance + .updateCSMThreatsAgentPolicy(params) + .then((data: v2.CloudWorkloadSecurityAgentPolicyResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.ts b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.ts index e52451983114..1d910ad22adc 100644 --- a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.ts +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.ts @@ -10,19 +10,25 @@ const apiInstance = new v2.CSMThreatsApi(configuration); // there is a valid "agent_rule_rc" in the system const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string; +// there is a valid "policy_rc" in the system +const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string; + const params: v2.CSMThreatsApiUpdateCSMThreatsAgentRuleRequest = { body: { data: { attributes: { - description: "Test Agent rule", + description: "My Agent rule", enabled: true, expression: `exec.file.name == "sh"`, + policyId: POLICY_DATA_ID, + productTags: [], }, - type: "agent_rule", id: AGENT_RULE_DATA_ID, + type: "agent_rule", }, }, agentRuleId: AGENT_RULE_DATA_ID, + policyId: POLICY_DATA_ID, }; apiInstance diff --git a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.ts b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.ts index b3e0618d8045..3d5a4474068a 100644 --- a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.ts +++ b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.ts @@ -14,12 +14,11 @@ const params: v2.CSMThreatsApiUpdateCloudWorkloadSecurityAgentRuleRequest = { body: { data: { attributes: { - description: "Test Agent rule", - enabled: true, + description: "Updated Agent rule", expression: `exec.file.name == "sh"`, }, - type: "agent_rule", id: AGENT_RULE_DATA_ID, + type: "agent_rule", }, }, agentRuleId: AGENT_RULE_DATA_ID, diff --git a/features/support/scenarios_model_mapping.ts b/features/support/scenarios_model_mapping.ts index 34c7e8cd9751..1bd6e54a47b1 100644 --- a/features/support/scenarios_model_mapping.ts +++ b/features/support/scenarios_model_mapping.ts @@ -6123,6 +6123,10 @@ export const ScenariosModelMappings: {[key: string]: {[key: string]: any}} = { "operationResponseType": "ApplicationSecurityWafExclusionFilterResponse", }, "v2.ListCSMThreatsAgentRules": { + "policyId": { + "type": "string", + "format": "", + }, "operationResponseType": "CloudWorkloadSecurityAgentRulesListResponse", }, "v2.CreateCSMThreatsAgentRule": { @@ -6137,6 +6141,10 @@ export const ScenariosModelMappings: {[key: string]: {[key: string]: any}} = { "type": "string", "format": "", }, + "policyId": { + "type": "string", + "format": "", + }, "operationResponseType": "void", }, "v2.GetCSMThreatsAgentRule": { @@ -6144,6 +6152,10 @@ export const ScenariosModelMappings: {[key: string]: {[key: string]: any}} = { "type": "string", "format": "", }, + "policyId": { + "type": "string", + "format": "", + }, "operationResponseType": "CloudWorkloadSecurityAgentRuleResponse", }, "v2.UpdateCSMThreatsAgentRule": { @@ -6151,15 +6163,54 @@ export const ScenariosModelMappings: {[key: string]: {[key: string]: any}} = { "type": "string", "format": "", }, + "policyId": { + "type": "string", + "format": "", + }, "body": { "type": "CloudWorkloadSecurityAgentRuleUpdateRequest", "format": "", }, "operationResponseType": "CloudWorkloadSecurityAgentRuleResponse", }, + "v2.ListCSMThreatsAgentPolicies": { + "operationResponseType": "CloudWorkloadSecurityAgentPoliciesListResponse", + }, + "v2.CreateCSMThreatsAgentPolicy": { + "body": { + "type": "CloudWorkloadSecurityAgentPolicyCreateRequest", + "format": "", + }, + "operationResponseType": "CloudWorkloadSecurityAgentPolicyResponse", + }, "v2.DownloadCSMThreatsPolicy": { "operationResponseType": "HttpFile", }, + "v2.DeleteCSMThreatsAgentPolicy": { + "policyId": { + "type": "string", + "format": "", + }, + "operationResponseType": "void", + }, + "v2.GetCSMThreatsAgentPolicy": { + "policyId": { + "type": "string", + "format": "", + }, + "operationResponseType": "CloudWorkloadSecurityAgentPolicyResponse", + }, + "v2.UpdateCSMThreatsAgentPolicy": { + "policyId": { + "type": "string", + "format": "", + }, + "body": { + "type": "CloudWorkloadSecurityAgentPolicyUpdateRequest", + "format": "", + }, + "operationResponseType": "CloudWorkloadSecurityAgentPolicyResponse", + }, "v2.DownloadCloudWorkloadPolicyFile": { "operationResponseType": "HttpFile", }, diff --git a/features/v2/csm_threats.feature b/features/v2/csm_threats.feature index 17d49528c52c..b6479f1cf8ce 100644 --- a/features/v2/csm_threats.feature +++ b/features/v2/csm_threats.feature @@ -11,69 +11,111 @@ Feature: CSM Threats And a valid "appKeyAuth" key in the system And an instance of "CSMThreats" API + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Bad Request" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Conflict" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 409 Conflict + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "OK" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Bad Request" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Conflict" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "OK" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": ["os == \"linux\""], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Conflict" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "OK" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "Not Found" response + Given new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -85,27 +127,42 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "Not Found" response + Given new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -116,8 +173,12 @@ Feature: CSM Threats And request contains "agent_rule_id" parameter from "agent_rule.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get all CSM Threats Agent policies returns "OK" response + Given new "ListCSMThreatsAgentPolicies" request + When the request is sent + Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all CSM Threats Agent rules returns "OK" response @@ -127,11 +188,9 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all Cloud Workload Security Agent rules returns "OK" response - Given there is a valid "agent_rule" in the system - And new "ListCloudWorkloadSecurityAgentRules" request + Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK - And the response "data[0].type" is equal to "agent_rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get the latest CSM Threats policy returns "OK" response @@ -145,49 +204,87 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Bad Request" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": ["env:test"], "hostTagsLists": [["env:test"]], "name": ""}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Concurrent Modification" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 409 Concurrent Modification + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Not Found" response + Given new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "non-existent-policy-id", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "Updated agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "updated_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Bad Request" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response - Given new "UpdateCSMThreatsAgentRule" request - And there is a valid "agent_rule" in the system + Given there is a valid "agent_rule_rc" in the system + And there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Not Found" response - Given new "UpdateCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "non-existent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name"}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @@ -196,15 +293,15 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Not Found" response Given new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found @@ -213,8 +310,6 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "Updated Agent rule", "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" diff --git a/features/v2/given.json b/features/v2/given.json index dcce70aed76e..95166d223ff8 100644 --- a/features/v2/given.json +++ b/features/v2/given.json @@ -531,7 +531,7 @@ "parameters": [ { "name": "body", - "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true\n }\n }\n}" + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" } ], "step": "there is a valid \"agent_rule_rc\" in the system", @@ -539,6 +539,18 @@ "tag": "CSM Threats", "operationId": "CreateCSMThreatsAgentRule" }, + { + "parameters": [ + { + "name": "body", + "value": "{\n \"data\": {\n \"type\": \"policy\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My agent policy\",\n \"hostTags\": [\"env:staging\"],\n \"enabled\": true\n }\n }\n}" + } + ], + "step": "there is a valid \"policy_rc\" in the system", + "key": "policy", + "tag": "CSM Threats", + "operationId": "CreateCSMThreatsAgentPolicy" + }, { "parameters": [ { diff --git a/features/v2/undo.json b/features/v2/undo.json index 85514d189970..66ea8a9fa879 100644 --- a/features/v2/undo.json +++ b/features/v2/undo.json @@ -2057,12 +2057,49 @@ "type": "idempotent" } }, + "ListCSMThreatsAgentPolicies": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "CreateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "operationId": "DeleteCSMThreatsAgentPolicy", + "parameters": [ + { + "name": "policy_id", + "source": "data.id" + } + ], + "type": "unsafe" + } + }, "DownloadCSMThreatsPolicy": { "tag": "CSM Threats", "undo": { "type": "safe" } }, + "DeleteCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, + "GetCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "UpdateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, "CreatePipeline": { "tag": "Observability Pipelines", "undo": { diff --git a/packages/datadog-api-client-v2/apis/CSMThreatsApi.ts b/packages/datadog-api-client-v2/apis/CSMThreatsApi.ts index 8995d1ae3518..225599013d99 100644 --- a/packages/datadog-api-client-v2/apis/CSMThreatsApi.ts +++ b/packages/datadog-api-client-v2/apis/CSMThreatsApi.ts @@ -18,6 +18,10 @@ import { ObjectSerializer } from "../models/ObjectSerializer"; import { ApiException } from "../../datadog-api-client-common/exception"; import { APIErrorResponse } from "../models/APIErrorResponse"; +import { CloudWorkloadSecurityAgentPoliciesListResponse } from "../models/CloudWorkloadSecurityAgentPoliciesListResponse"; +import { CloudWorkloadSecurityAgentPolicyCreateRequest } from "../models/CloudWorkloadSecurityAgentPolicyCreateRequest"; +import { CloudWorkloadSecurityAgentPolicyResponse } from "../models/CloudWorkloadSecurityAgentPolicyResponse"; +import { CloudWorkloadSecurityAgentPolicyUpdateRequest } from "../models/CloudWorkloadSecurityAgentPolicyUpdateRequest"; import { CloudWorkloadSecurityAgentRuleCreateRequest } from "../models/CloudWorkloadSecurityAgentRuleCreateRequest"; import { CloudWorkloadSecurityAgentRuleResponse } from "../models/CloudWorkloadSecurityAgentRuleResponse"; import { CloudWorkloadSecurityAgentRulesListResponse } from "../models/CloudWorkloadSecurityAgentRulesListResponse"; @@ -70,6 +74,51 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { return requestContext; } + public async createCSMThreatsAgentPolicy( + body: CloudWorkloadSecurityAgentPolicyCreateRequest, + _options?: Configuration + ): Promise { + const _config = _options || this.configuration; + + // verify required parameter 'body' is not null or undefined + if (body === null || body === undefined) { + throw new RequiredError("body", "createCSMThreatsAgentPolicy"); + } + + // Path Params + const localVarPath = "/api/v2/remote_config/products/cws/policy"; + + // Make Request Context + const requestContext = _config + .getServer("v2.CSMThreatsApi.createCSMThreatsAgentPolicy") + .makeRequestContext(localVarPath, HttpMethod.POST); + requestContext.setHeaderParam("Accept", "application/json"); + requestContext.setHttpConfig(_config.httpConfig); + + // Body Params + const contentType = ObjectSerializer.getPreferredMediaType([ + "application/json", + ]); + requestContext.setHeaderParam("Content-Type", contentType); + const serializedBody = ObjectSerializer.stringify( + ObjectSerializer.serialize( + body, + "CloudWorkloadSecurityAgentPolicyCreateRequest", + "" + ), + contentType + ); + requestContext.setBody(serializedBody); + + // Apply auth methods + applySecurityAuthentication(_config, requestContext, [ + "apiKeyAuth", + "appKeyAuth", + ]); + + return requestContext; + } + public async createCSMThreatsAgentRule( body: CloudWorkloadSecurityAgentRuleCreateRequest, _options?: Configuration @@ -152,8 +201,43 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { return requestContext; } + public async deleteCSMThreatsAgentPolicy( + policyId: string, + _options?: Configuration + ): Promise { + const _config = _options || this.configuration; + + // verify required parameter 'policyId' is not null or undefined + if (policyId === null || policyId === undefined) { + throw new RequiredError("policyId", "deleteCSMThreatsAgentPolicy"); + } + + // Path Params + const localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}".replace( + "{policy_id}", + encodeURIComponent(String(policyId)) + ); + + // Make Request Context + const requestContext = _config + .getServer("v2.CSMThreatsApi.deleteCSMThreatsAgentPolicy") + .makeRequestContext(localVarPath, HttpMethod.DELETE); + requestContext.setHeaderParam("Accept", "*/*"); + requestContext.setHttpConfig(_config.httpConfig); + + // Apply auth methods + applySecurityAuthentication(_config, requestContext, [ + "apiKeyAuth", + "appKeyAuth", + ]); + + return requestContext; + } + public async deleteCSMThreatsAgentRule( agentRuleId: string, + policyId?: string, _options?: Configuration ): Promise { const _config = _options || this.configuration; @@ -177,6 +261,15 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { requestContext.setHeaderParam("Accept", "*/*"); requestContext.setHttpConfig(_config.httpConfig); + // Query Params + if (policyId !== undefined) { + requestContext.setQueryParam( + "policy_id", + ObjectSerializer.serialize(policyId, "string", ""), + "" + ); + } + // Apply auth methods applySecurityAuthentication(_config, requestContext, [ "apiKeyAuth", @@ -277,8 +370,43 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { return requestContext; } + public async getCSMThreatsAgentPolicy( + policyId: string, + _options?: Configuration + ): Promise { + const _config = _options || this.configuration; + + // verify required parameter 'policyId' is not null or undefined + if (policyId === null || policyId === undefined) { + throw new RequiredError("policyId", "getCSMThreatsAgentPolicy"); + } + + // Path Params + const localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}".replace( + "{policy_id}", + encodeURIComponent(String(policyId)) + ); + + // Make Request Context + const requestContext = _config + .getServer("v2.CSMThreatsApi.getCSMThreatsAgentPolicy") + .makeRequestContext(localVarPath, HttpMethod.GET); + requestContext.setHeaderParam("Accept", "application/json"); + requestContext.setHttpConfig(_config.httpConfig); + + // Apply auth methods + applySecurityAuthentication(_config, requestContext, [ + "apiKeyAuth", + "appKeyAuth", + ]); + + return requestContext; + } + public async getCSMThreatsAgentRule( agentRuleId: string, + policyId?: string, _options?: Configuration ): Promise { const _config = _options || this.configuration; @@ -302,6 +430,15 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { requestContext.setHeaderParam("Accept", "application/json"); requestContext.setHttpConfig(_config.httpConfig); + // Query Params + if (policyId !== undefined) { + requestContext.setQueryParam( + "policy_id", + ObjectSerializer.serialize(policyId, "string", ""), + "" + ); + } + // Apply auth methods applySecurityAuthentication(_config, requestContext, [ "apiKeyAuth", @@ -336,7 +473,32 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { return requestContext; } + public async listCSMThreatsAgentPolicies( + _options?: Configuration + ): Promise { + const _config = _options || this.configuration; + + // Path Params + const localVarPath = "/api/v2/remote_config/products/cws/policy"; + + // Make Request Context + const requestContext = _config + .getServer("v2.CSMThreatsApi.listCSMThreatsAgentPolicies") + .makeRequestContext(localVarPath, HttpMethod.GET); + requestContext.setHeaderParam("Accept", "application/json"); + requestContext.setHttpConfig(_config.httpConfig); + + // Apply auth methods + applySecurityAuthentication(_config, requestContext, [ + "apiKeyAuth", + "appKeyAuth", + ]); + + return requestContext; + } + public async listCSMThreatsAgentRules( + policyId?: string, _options?: Configuration ): Promise { const _config = _options || this.configuration; @@ -351,6 +513,15 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { requestContext.setHeaderParam("Accept", "application/json"); requestContext.setHttpConfig(_config.httpConfig); + // Query Params + if (policyId !== undefined) { + requestContext.setQueryParam( + "policy_id", + ObjectSerializer.serialize(policyId, "string", ""), + "" + ); + } + // Apply auth methods applySecurityAuthentication(_config, requestContext, [ "apiKeyAuth", @@ -418,9 +589,65 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { return requestContext; } + public async updateCSMThreatsAgentPolicy( + policyId: string, + body: CloudWorkloadSecurityAgentPolicyUpdateRequest, + _options?: Configuration + ): Promise { + const _config = _options || this.configuration; + + // verify required parameter 'policyId' is not null or undefined + if (policyId === null || policyId === undefined) { + throw new RequiredError("policyId", "updateCSMThreatsAgentPolicy"); + } + + // verify required parameter 'body' is not null or undefined + if (body === null || body === undefined) { + throw new RequiredError("body", "updateCSMThreatsAgentPolicy"); + } + + // Path Params + const localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}".replace( + "{policy_id}", + encodeURIComponent(String(policyId)) + ); + + // Make Request Context + const requestContext = _config + .getServer("v2.CSMThreatsApi.updateCSMThreatsAgentPolicy") + .makeRequestContext(localVarPath, HttpMethod.PATCH); + requestContext.setHeaderParam("Accept", "application/json"); + requestContext.setHttpConfig(_config.httpConfig); + + // Body Params + const contentType = ObjectSerializer.getPreferredMediaType([ + "application/json", + ]); + requestContext.setHeaderParam("Content-Type", contentType); + const serializedBody = ObjectSerializer.stringify( + ObjectSerializer.serialize( + body, + "CloudWorkloadSecurityAgentPolicyUpdateRequest", + "" + ), + contentType + ); + requestContext.setBody(serializedBody); + + // Apply auth methods + applySecurityAuthentication(_config, requestContext, [ + "apiKeyAuth", + "appKeyAuth", + ]); + + return requestContext; + } + public async updateCSMThreatsAgentRule( agentRuleId: string, body: CloudWorkloadSecurityAgentRuleUpdateRequest, + policyId?: string, _options?: Configuration ): Promise { const _config = _options || this.configuration; @@ -449,6 +676,15 @@ export class CSMThreatsApiRequestFactory extends BaseAPIRequestFactory { requestContext.setHeaderParam("Accept", "application/json"); requestContext.setHttpConfig(_config.httpConfig); + // Query Params + if (policyId !== undefined) { + requestContext.setQueryParam( + "policy_id", + ObjectSerializer.serialize(policyId, "string", ""), + "" + ); + } + // Body Params const contentType = ObjectSerializer.getPreferredMediaType([ "application/json", @@ -540,6 +776,71 @@ export class CSMThreatsApiResponseProcessor { ); } + /** + * Unwraps the actual response sent by the server from the response context and deserializes the response content + * to the expected objects + * + * @params response Response returned by the server for a request to createCSMThreatsAgentPolicy + * @throws ApiException if the response code was not in [200, 299] + */ + public async createCSMThreatsAgentPolicy( + response: ResponseContext + ): Promise { + const contentType = ObjectSerializer.normalizeMediaType( + response.headers["content-type"] + ); + if (response.httpStatusCode === 200) { + const body: CloudWorkloadSecurityAgentPolicyResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentPolicyResponse" + ) as CloudWorkloadSecurityAgentPolicyResponse; + return body; + } + if ( + response.httpStatusCode === 400 || + response.httpStatusCode === 403 || + response.httpStatusCode === 409 || + response.httpStatusCode === 429 + ) { + const bodyText = ObjectSerializer.parse( + await response.body.text(), + contentType + ); + let body: APIErrorResponse; + try { + body = ObjectSerializer.deserialize( + bodyText, + "APIErrorResponse" + ) as APIErrorResponse; + } catch (error) { + logger.debug(`Got error deserializing error: ${error}`); + throw new ApiException( + response.httpStatusCode, + bodyText + ); + } + throw new ApiException(response.httpStatusCode, body); + } + + // Work around for missing responses in specification, e.g. for petstore.yaml + if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { + const body: CloudWorkloadSecurityAgentPolicyResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentPolicyResponse", + "" + ) as CloudWorkloadSecurityAgentPolicyResponse; + return body; + } + + const body = (await response.body.text()) || ""; + throw new ApiException( + response.httpStatusCode, + 'Unknown API Status Code!\nBody: "' + body + '"' + ); + } + /** * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects @@ -663,6 +964,64 @@ export class CSMThreatsApiResponseProcessor { ); } + /** + * Unwraps the actual response sent by the server from the response context and deserializes the response content + * to the expected objects + * + * @params response Response returned by the server for a request to deleteCSMThreatsAgentPolicy + * @throws ApiException if the response code was not in [200, 299] + */ + public async deleteCSMThreatsAgentPolicy( + response: ResponseContext + ): Promise { + const contentType = ObjectSerializer.normalizeMediaType( + response.headers["content-type"] + ); + if (response.httpStatusCode === 202 || response.httpStatusCode === 204) { + return; + } + if ( + response.httpStatusCode === 403 || + response.httpStatusCode === 404 || + response.httpStatusCode === 429 + ) { + const bodyText = ObjectSerializer.parse( + await response.body.text(), + contentType + ); + let body: APIErrorResponse; + try { + body = ObjectSerializer.deserialize( + bodyText, + "APIErrorResponse" + ) as APIErrorResponse; + } catch (error) { + logger.debug(`Got error deserializing error: ${error}`); + throw new ApiException( + response.httpStatusCode, + bodyText + ); + } + throw new ApiException(response.httpStatusCode, body); + } + + // Work around for missing responses in specification, e.g. for petstore.yaml + if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { + const body: void = ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "void", + "" + ) as void; + return body; + } + + const body = (await response.body.text()) || ""; + throw new ApiException( + response.httpStatusCode, + 'Unknown API Status Code!\nBody: "' + body + '"' + ); + } + /** * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects @@ -706,11 +1065,179 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: void = ObjectSerializer.deserialize( - ObjectSerializer.parse(await response.body.text(), contentType), - "void", - "" - ) as void; + const body: void = ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "void", + "" + ) as void; + return body; + } + + const body = (await response.body.text()) || ""; + throw new ApiException( + response.httpStatusCode, + 'Unknown API Status Code!\nBody: "' + body + '"' + ); + } + + /** + * Unwraps the actual response sent by the server from the response context and deserializes the response content + * to the expected objects + * + * @params response Response returned by the server for a request to downloadCloudWorkloadPolicyFile + * @throws ApiException if the response code was not in [200, 299] + */ + public async downloadCloudWorkloadPolicyFile( + response: ResponseContext + ): Promise { + const contentType = ObjectSerializer.normalizeMediaType( + response.headers["content-type"] + ); + if (response.httpStatusCode === 200) { + const body: HttpFile = (await response.getBodyAsFile()) as HttpFile; + return body; + } + if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { + const bodyText = ObjectSerializer.parse( + await response.body.text(), + contentType + ); + let body: APIErrorResponse; + try { + body = ObjectSerializer.deserialize( + bodyText, + "APIErrorResponse" + ) as APIErrorResponse; + } catch (error) { + logger.debug(`Got error deserializing error: ${error}`); + throw new ApiException( + response.httpStatusCode, + bodyText + ); + } + throw new ApiException(response.httpStatusCode, body); + } + + // Work around for missing responses in specification, e.g. for petstore.yaml + if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { + const body: HttpFile = + (await response.getBodyAsFile()) as any as HttpFile; + return body; + } + + const body = (await response.body.text()) || ""; + throw new ApiException( + response.httpStatusCode, + 'Unknown API Status Code!\nBody: "' + body + '"' + ); + } + + /** + * Unwraps the actual response sent by the server from the response context and deserializes the response content + * to the expected objects + * + * @params response Response returned by the server for a request to downloadCSMThreatsPolicy + * @throws ApiException if the response code was not in [200, 299] + */ + public async downloadCSMThreatsPolicy( + response: ResponseContext + ): Promise { + const contentType = ObjectSerializer.normalizeMediaType( + response.headers["content-type"] + ); + if (response.httpStatusCode === 200) { + const body: HttpFile = (await response.getBodyAsFile()) as HttpFile; + return body; + } + if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { + const bodyText = ObjectSerializer.parse( + await response.body.text(), + contentType + ); + let body: APIErrorResponse; + try { + body = ObjectSerializer.deserialize( + bodyText, + "APIErrorResponse" + ) as APIErrorResponse; + } catch (error) { + logger.debug(`Got error deserializing error: ${error}`); + throw new ApiException( + response.httpStatusCode, + bodyText + ); + } + throw new ApiException(response.httpStatusCode, body); + } + + // Work around for missing responses in specification, e.g. for petstore.yaml + if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { + const body: HttpFile = + (await response.getBodyAsFile()) as any as HttpFile; + return body; + } + + const body = (await response.body.text()) || ""; + throw new ApiException( + response.httpStatusCode, + 'Unknown API Status Code!\nBody: "' + body + '"' + ); + } + + /** + * Unwraps the actual response sent by the server from the response context and deserializes the response content + * to the expected objects + * + * @params response Response returned by the server for a request to getCloudWorkloadSecurityAgentRule + * @throws ApiException if the response code was not in [200, 299] + */ + public async getCloudWorkloadSecurityAgentRule( + response: ResponseContext + ): Promise { + const contentType = ObjectSerializer.normalizeMediaType( + response.headers["content-type"] + ); + if (response.httpStatusCode === 200) { + const body: CloudWorkloadSecurityAgentRuleResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentRuleResponse" + ) as CloudWorkloadSecurityAgentRuleResponse; + return body; + } + if ( + response.httpStatusCode === 403 || + response.httpStatusCode === 404 || + response.httpStatusCode === 429 + ) { + const bodyText = ObjectSerializer.parse( + await response.body.text(), + contentType + ); + let body: APIErrorResponse; + try { + body = ObjectSerializer.deserialize( + bodyText, + "APIErrorResponse" + ) as APIErrorResponse; + } catch (error) { + logger.debug(`Got error deserializing error: ${error}`); + throw new ApiException( + response.httpStatusCode, + bodyText + ); + } + throw new ApiException(response.httpStatusCode, body); + } + + // Work around for missing responses in specification, e.g. for petstore.yaml + if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { + const body: CloudWorkloadSecurityAgentRuleResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentRuleResponse", + "" + ) as CloudWorkloadSecurityAgentRuleResponse; return body; } @@ -725,20 +1252,28 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to downloadCloudWorkloadPolicyFile + * @params response Response returned by the server for a request to getCSMThreatsAgentPolicy * @throws ApiException if the response code was not in [200, 299] */ - public async downloadCloudWorkloadPolicyFile( + public async getCSMThreatsAgentPolicy( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: HttpFile = (await response.getBodyAsFile()) as HttpFile; + const body: CloudWorkloadSecurityAgentPolicyResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentPolicyResponse" + ) as CloudWorkloadSecurityAgentPolicyResponse; return body; } - if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { + if ( + response.httpStatusCode === 403 || + response.httpStatusCode === 404 || + response.httpStatusCode === 429 + ) { const bodyText = ObjectSerializer.parse( await response.body.text(), contentType @@ -761,8 +1296,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: HttpFile = - (await response.getBodyAsFile()) as any as HttpFile; + const body: CloudWorkloadSecurityAgentPolicyResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentPolicyResponse", + "" + ) as CloudWorkloadSecurityAgentPolicyResponse; return body; } @@ -777,20 +1316,28 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to downloadCSMThreatsPolicy + * @params response Response returned by the server for a request to getCSMThreatsAgentRule * @throws ApiException if the response code was not in [200, 299] */ - public async downloadCSMThreatsPolicy( + public async getCSMThreatsAgentRule( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: HttpFile = (await response.getBodyAsFile()) as HttpFile; + const body: CloudWorkloadSecurityAgentRuleResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentRuleResponse" + ) as CloudWorkloadSecurityAgentRuleResponse; return body; } - if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { + if ( + response.httpStatusCode === 403 || + response.httpStatusCode === 404 || + response.httpStatusCode === 429 + ) { const bodyText = ObjectSerializer.parse( await response.body.text(), contentType @@ -813,8 +1360,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: HttpFile = - (await response.getBodyAsFile()) as any as HttpFile; + const body: CloudWorkloadSecurityAgentRuleResponse = + ObjectSerializer.deserialize( + ObjectSerializer.parse(await response.body.text(), contentType), + "CloudWorkloadSecurityAgentRuleResponse", + "" + ) as CloudWorkloadSecurityAgentRuleResponse; return body; } @@ -829,28 +1380,24 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to getCloudWorkloadSecurityAgentRule + * @params response Response returned by the server for a request to listCloudWorkloadSecurityAgentRules * @throws ApiException if the response code was not in [200, 299] */ - public async getCloudWorkloadSecurityAgentRule( + public async listCloudWorkloadSecurityAgentRules( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentRulesListResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse" - ) as CloudWorkloadSecurityAgentRuleResponse; + "CloudWorkloadSecurityAgentRulesListResponse" + ) as CloudWorkloadSecurityAgentRulesListResponse; return body; } - if ( - response.httpStatusCode === 403 || - response.httpStatusCode === 404 || - response.httpStatusCode === 429 - ) { + if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { const bodyText = ObjectSerializer.parse( await response.body.text(), contentType @@ -873,12 +1420,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentRulesListResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse", + "CloudWorkloadSecurityAgentRulesListResponse", "" - ) as CloudWorkloadSecurityAgentRuleResponse; + ) as CloudWorkloadSecurityAgentRulesListResponse; return body; } @@ -893,28 +1440,24 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to getCSMThreatsAgentRule + * @params response Response returned by the server for a request to listCSMThreatsAgentPolicies * @throws ApiException if the response code was not in [200, 299] */ - public async getCSMThreatsAgentRule( + public async listCSMThreatsAgentPolicies( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentPoliciesListResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse" - ) as CloudWorkloadSecurityAgentRuleResponse; + "CloudWorkloadSecurityAgentPoliciesListResponse" + ) as CloudWorkloadSecurityAgentPoliciesListResponse; return body; } - if ( - response.httpStatusCode === 403 || - response.httpStatusCode === 404 || - response.httpStatusCode === 429 - ) { + if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { const bodyText = ObjectSerializer.parse( await response.body.text(), contentType @@ -937,12 +1480,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentPoliciesListResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse", + "CloudWorkloadSecurityAgentPoliciesListResponse", "" - ) as CloudWorkloadSecurityAgentRuleResponse; + ) as CloudWorkloadSecurityAgentPoliciesListResponse; return body; } @@ -957,10 +1500,10 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to listCloudWorkloadSecurityAgentRules + * @params response Response returned by the server for a request to listCSMThreatsAgentRules * @throws ApiException if the response code was not in [200, 299] */ - public async listCloudWorkloadSecurityAgentRules( + public async listCSMThreatsAgentRules( response: ResponseContext ): Promise { const contentType = ObjectSerializer.normalizeMediaType( @@ -1017,24 +1560,30 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to listCSMThreatsAgentRules + * @params response Response returned by the server for a request to updateCloudWorkloadSecurityAgentRule * @throws ApiException if the response code was not in [200, 299] */ - public async listCSMThreatsAgentRules( + public async updateCloudWorkloadSecurityAgentRule( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: CloudWorkloadSecurityAgentRulesListResponse = + const body: CloudWorkloadSecurityAgentRuleResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRulesListResponse" - ) as CloudWorkloadSecurityAgentRulesListResponse; + "CloudWorkloadSecurityAgentRuleResponse" + ) as CloudWorkloadSecurityAgentRuleResponse; return body; } - if (response.httpStatusCode === 403 || response.httpStatusCode === 429) { + if ( + response.httpStatusCode === 400 || + response.httpStatusCode === 403 || + response.httpStatusCode === 404 || + response.httpStatusCode === 409 || + response.httpStatusCode === 429 + ) { const bodyText = ObjectSerializer.parse( await response.body.text(), contentType @@ -1057,12 +1606,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: CloudWorkloadSecurityAgentRulesListResponse = + const body: CloudWorkloadSecurityAgentRuleResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRulesListResponse", + "CloudWorkloadSecurityAgentRuleResponse", "" - ) as CloudWorkloadSecurityAgentRulesListResponse; + ) as CloudWorkloadSecurityAgentRuleResponse; return body; } @@ -1077,21 +1626,21 @@ export class CSMThreatsApiResponseProcessor { * Unwraps the actual response sent by the server from the response context and deserializes the response content * to the expected objects * - * @params response Response returned by the server for a request to updateCloudWorkloadSecurityAgentRule + * @params response Response returned by the server for a request to updateCSMThreatsAgentPolicy * @throws ApiException if the response code was not in [200, 299] */ - public async updateCloudWorkloadSecurityAgentRule( + public async updateCSMThreatsAgentPolicy( response: ResponseContext - ): Promise { + ): Promise { const contentType = ObjectSerializer.normalizeMediaType( response.headers["content-type"] ); if (response.httpStatusCode === 200) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentPolicyResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse" - ) as CloudWorkloadSecurityAgentRuleResponse; + "CloudWorkloadSecurityAgentPolicyResponse" + ) as CloudWorkloadSecurityAgentPolicyResponse; return body; } if ( @@ -1123,12 +1672,12 @@ export class CSMThreatsApiResponseProcessor { // Work around for missing responses in specification, e.g. for petstore.yaml if (response.httpStatusCode >= 200 && response.httpStatusCode <= 299) { - const body: CloudWorkloadSecurityAgentRuleResponse = + const body: CloudWorkloadSecurityAgentPolicyResponse = ObjectSerializer.deserialize( ObjectSerializer.parse(await response.body.text(), contentType), - "CloudWorkloadSecurityAgentRuleResponse", + "CloudWorkloadSecurityAgentPolicyResponse", "" - ) as CloudWorkloadSecurityAgentRuleResponse; + ) as CloudWorkloadSecurityAgentPolicyResponse; return body; } @@ -1208,15 +1757,23 @@ export class CSMThreatsApiResponseProcessor { export interface CSMThreatsApiCreateCloudWorkloadSecurityAgentRuleRequest { /** - * The definition of the new Agent rule. + * The definition of the new Agent rule * @type CloudWorkloadSecurityAgentRuleCreateRequest */ body: CloudWorkloadSecurityAgentRuleCreateRequest; } +export interface CSMThreatsApiCreateCSMThreatsAgentPolicyRequest { + /** + * The definition of the new Agent policy + * @type CloudWorkloadSecurityAgentPolicyCreateRequest + */ + body: CloudWorkloadSecurityAgentPolicyCreateRequest; +} + export interface CSMThreatsApiCreateCSMThreatsAgentRuleRequest { /** - * The definition of the new Agent rule. + * The definition of the new Agent rule * @type CloudWorkloadSecurityAgentRuleCreateRequest */ body: CloudWorkloadSecurityAgentRuleCreateRequest; @@ -1224,60 +1781,112 @@ export interface CSMThreatsApiCreateCSMThreatsAgentRuleRequest { export interface CSMThreatsApiDeleteCloudWorkloadSecurityAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; } +export interface CSMThreatsApiDeleteCSMThreatsAgentPolicyRequest { + /** + * The ID of the Agent policy + * @type string + */ + policyId: string; +} + export interface CSMThreatsApiDeleteCSMThreatsAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; + /** + * The ID of the Agent policy + * @type string + */ + policyId?: string; } export interface CSMThreatsApiGetCloudWorkloadSecurityAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; } +export interface CSMThreatsApiGetCSMThreatsAgentPolicyRequest { + /** + * The ID of the Agent policy + * @type string + */ + policyId: string; +} + export interface CSMThreatsApiGetCSMThreatsAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; + /** + * The ID of the Agent policy + * @type string + */ + policyId?: string; +} + +export interface CSMThreatsApiListCSMThreatsAgentRulesRequest { + /** + * The ID of the Agent policy + * @type string + */ + policyId?: string; } export interface CSMThreatsApiUpdateCloudWorkloadSecurityAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; /** - * New definition of the Agent rule. + * New definition of the Agent rule * @type CloudWorkloadSecurityAgentRuleUpdateRequest */ body: CloudWorkloadSecurityAgentRuleUpdateRequest; } +export interface CSMThreatsApiUpdateCSMThreatsAgentPolicyRequest { + /** + * The ID of the Agent policy + * @type string + */ + policyId: string; + /** + * New definition of the Agent policy + * @type CloudWorkloadSecurityAgentPolicyUpdateRequest + */ + body: CloudWorkloadSecurityAgentPolicyUpdateRequest; +} + export interface CSMThreatsApiUpdateCSMThreatsAgentRuleRequest { /** - * The ID of the Agent rule. + * The ID of the Agent rule * @type string */ agentRuleId: string; /** - * New definition of the Agent rule. + * New definition of the Agent rule * @type CloudWorkloadSecurityAgentRuleUpdateRequest */ body: CloudWorkloadSecurityAgentRuleUpdateRequest; + /** + * The ID of the Agent policy + * @type string + */ + policyId?: string; } export class CSMThreatsApi { @@ -1322,7 +1931,28 @@ export class CSMThreatsApi { } /** - * Create a new Cloud Security Management Threats Agent rule with the given parameters. + * Create a new Cloud Security Management Threats Agent policy with the given parameters + * @param param The request object + */ + public createCSMThreatsAgentPolicy( + param: CSMThreatsApiCreateCSMThreatsAgentPolicyRequest, + options?: Configuration + ): Promise { + const requestContextPromise = + this.requestFactory.createCSMThreatsAgentPolicy(param.body, options); + return requestContextPromise.then((requestContext) => { + return this.configuration.httpApi + .send(requestContext) + .then((responseContext) => { + return this.responseProcessor.createCSMThreatsAgentPolicy( + responseContext + ); + }); + }); + } + + /** + * Create a new Cloud Security Management Threats Agent rule with the given parameters * @param param The request object */ public createCSMThreatsAgentRule( @@ -1345,7 +1975,7 @@ export class CSMThreatsApi { } /** - * Delete a specific Agent rule. + * Delete a specific Agent rule * @param param The request object */ public deleteCloudWorkloadSecurityAgentRule( @@ -1369,7 +1999,28 @@ export class CSMThreatsApi { } /** - * Delete a specific Cloud Security Management Threats Agent rule. + * Delete a specific Cloud Security Management Threats Agent policy + * @param param The request object + */ + public deleteCSMThreatsAgentPolicy( + param: CSMThreatsApiDeleteCSMThreatsAgentPolicyRequest, + options?: Configuration + ): Promise { + const requestContextPromise = + this.requestFactory.deleteCSMThreatsAgentPolicy(param.policyId, options); + return requestContextPromise.then((requestContext) => { + return this.configuration.httpApi + .send(requestContext) + .then((responseContext) => { + return this.responseProcessor.deleteCSMThreatsAgentPolicy( + responseContext + ); + }); + }); + } + + /** + * Delete a specific Cloud Security Management Threats Agent rule * @param param The request object */ public deleteCSMThreatsAgentRule( @@ -1378,6 +2029,7 @@ export class CSMThreatsApi { ): Promise { const requestContextPromise = this.requestFactory.deleteCSMThreatsAgentRule( param.agentRuleId, + param.policyId, options ); return requestContextPromise.then((requestContext) => { @@ -1434,7 +2086,7 @@ export class CSMThreatsApi { } /** - * Get the details of a specific Agent rule. + * Get the details of a specific Agent rule * @param param The request object */ public getCloudWorkloadSecurityAgentRule( @@ -1458,7 +2110,30 @@ export class CSMThreatsApi { } /** - * Get the details of a specific Cloud Security Management Threats Agent rule. + * Get the details of a specific Cloud Security Management Threats Agent policy + * @param param The request object + */ + public getCSMThreatsAgentPolicy( + param: CSMThreatsApiGetCSMThreatsAgentPolicyRequest, + options?: Configuration + ): Promise { + const requestContextPromise = this.requestFactory.getCSMThreatsAgentPolicy( + param.policyId, + options + ); + return requestContextPromise.then((requestContext) => { + return this.configuration.httpApi + .send(requestContext) + .then((responseContext) => { + return this.responseProcessor.getCSMThreatsAgentPolicy( + responseContext + ); + }); + }); + } + + /** + * Get the details of a specific Cloud Security Management Threats Agent rule * @param param The request object */ public getCSMThreatsAgentRule( @@ -1467,6 +2142,7 @@ export class CSMThreatsApi { ): Promise { const requestContextPromise = this.requestFactory.getCSMThreatsAgentRule( param.agentRuleId, + param.policyId, options ); return requestContextPromise.then((requestContext) => { @@ -1479,7 +2155,7 @@ export class CSMThreatsApi { } /** - * Get the list of Agent rules. + * Get the list of Agent rules * @param param The request object */ public listCloudWorkloadSecurityAgentRules( @@ -1499,14 +2175,37 @@ export class CSMThreatsApi { } /** - * Get the list of Cloud Security Management Threats Agent rules. + * Get the list of Cloud Security Management Threats Agent policies + * @param param The request object + */ + public listCSMThreatsAgentPolicies( + options?: Configuration + ): Promise { + const requestContextPromise = + this.requestFactory.listCSMThreatsAgentPolicies(options); + return requestContextPromise.then((requestContext) => { + return this.configuration.httpApi + .send(requestContext) + .then((responseContext) => { + return this.responseProcessor.listCSMThreatsAgentPolicies( + responseContext + ); + }); + }); + } + + /** + * Get the list of Cloud Security Management Threats Agent rules * @param param The request object */ public listCSMThreatsAgentRules( + param: CSMThreatsApiListCSMThreatsAgentRulesRequest = {}, options?: Configuration ): Promise { - const requestContextPromise = - this.requestFactory.listCSMThreatsAgentRules(options); + const requestContextPromise = this.requestFactory.listCSMThreatsAgentRules( + param.policyId, + options + ); return requestContextPromise.then((requestContext) => { return this.configuration.httpApi .send(requestContext) @@ -1544,6 +2243,32 @@ export class CSMThreatsApi { }); } + /** + * Update a specific Cloud Security Management Threats Agent policy. + * Returns the Agent policy object when the request is successful. + * @param param The request object + */ + public updateCSMThreatsAgentPolicy( + param: CSMThreatsApiUpdateCSMThreatsAgentPolicyRequest, + options?: Configuration + ): Promise { + const requestContextPromise = + this.requestFactory.updateCSMThreatsAgentPolicy( + param.policyId, + param.body, + options + ); + return requestContextPromise.then((requestContext) => { + return this.configuration.httpApi + .send(requestContext) + .then((responseContext) => { + return this.responseProcessor.updateCSMThreatsAgentPolicy( + responseContext + ); + }); + }); + } + /** * Update a specific Cloud Security Management Threats Agent rule. * Returns the Agent rule object when the request is successful. @@ -1556,6 +2281,7 @@ export class CSMThreatsApi { const requestContextPromise = this.requestFactory.updateCSMThreatsAgentRule( param.agentRuleId, param.body, + param.policyId, options ); return requestContextPromise.then((requestContext) => { diff --git a/packages/datadog-api-client-v2/index.ts b/packages/datadog-api-client-v2/index.ts index 287ae1b33223..555e193f1e19 100644 --- a/packages/datadog-api-client-v2/index.ts +++ b/packages/datadog-api-client-v2/index.ts @@ -107,12 +107,17 @@ export { export { CSMCoverageAnalysisApi } from "./apis/CSMCoverageAnalysisApi"; export { + CSMThreatsApiCreateCSMThreatsAgentPolicyRequest, CSMThreatsApiCreateCSMThreatsAgentRuleRequest, CSMThreatsApiCreateCloudWorkloadSecurityAgentRuleRequest, + CSMThreatsApiDeleteCSMThreatsAgentPolicyRequest, CSMThreatsApiDeleteCSMThreatsAgentRuleRequest, CSMThreatsApiDeleteCloudWorkloadSecurityAgentRuleRequest, + CSMThreatsApiGetCSMThreatsAgentPolicyRequest, CSMThreatsApiGetCSMThreatsAgentRuleRequest, CSMThreatsApiGetCloudWorkloadSecurityAgentRuleRequest, + CSMThreatsApiListCSMThreatsAgentRulesRequest, + CSMThreatsApiUpdateCSMThreatsAgentPolicyRequest, CSMThreatsApiUpdateCSMThreatsAgentRuleRequest, CSMThreatsApiUpdateCloudWorkloadSecurityAgentRuleRequest, CSMThreatsApi, @@ -1090,6 +1095,18 @@ export { CloudflareAccountType } from "./models/CloudflareAccountType"; export { CloudflareAccountUpdateRequest } from "./models/CloudflareAccountUpdateRequest"; export { CloudflareAccountUpdateRequestAttributes } from "./models/CloudflareAccountUpdateRequestAttributes"; export { CloudflareAccountUpdateRequestData } from "./models/CloudflareAccountUpdateRequestData"; +export { CloudWorkloadSecurityAgentPoliciesListResponse } from "./models/CloudWorkloadSecurityAgentPoliciesListResponse"; +export { CloudWorkloadSecurityAgentPolicyAttributes } from "./models/CloudWorkloadSecurityAgentPolicyAttributes"; +export { CloudWorkloadSecurityAgentPolicyCreateAttributes } from "./models/CloudWorkloadSecurityAgentPolicyCreateAttributes"; +export { CloudWorkloadSecurityAgentPolicyCreateData } from "./models/CloudWorkloadSecurityAgentPolicyCreateData"; +export { CloudWorkloadSecurityAgentPolicyCreateRequest } from "./models/CloudWorkloadSecurityAgentPolicyCreateRequest"; +export { CloudWorkloadSecurityAgentPolicyData } from "./models/CloudWorkloadSecurityAgentPolicyData"; +export { CloudWorkloadSecurityAgentPolicyResponse } from "./models/CloudWorkloadSecurityAgentPolicyResponse"; +export { CloudWorkloadSecurityAgentPolicyType } from "./models/CloudWorkloadSecurityAgentPolicyType"; +export { CloudWorkloadSecurityAgentPolicyUpdateAttributes } from "./models/CloudWorkloadSecurityAgentPolicyUpdateAttributes"; +export { CloudWorkloadSecurityAgentPolicyUpdateData } from "./models/CloudWorkloadSecurityAgentPolicyUpdateData"; +export { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; +export { CloudWorkloadSecurityAgentPolicyUpdateRequest } from "./models/CloudWorkloadSecurityAgentPolicyUpdateRequest"; export { CloudWorkloadSecurityAgentRuleAction } from "./models/CloudWorkloadSecurityAgentRuleAction"; export { CloudWorkloadSecurityAgentRuleAttributes } from "./models/CloudWorkloadSecurityAgentRuleAttributes"; export { CloudWorkloadSecurityAgentRuleCreateAttributes } from "./models/CloudWorkloadSecurityAgentRuleCreateAttributes"; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPoliciesListResponse.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPoliciesListResponse.ts new file mode 100644 index 000000000000..0607b739697f --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPoliciesListResponse.ts @@ -0,0 +1,53 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyData } from "./CloudWorkloadSecurityAgentPolicyData"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Response object that includes a list of Agent policies + */ +export class CloudWorkloadSecurityAgentPoliciesListResponse { + /** + * A list of Agent policy objects + */ + "data"?: Array; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + data: { + baseName: "data", + type: "Array", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPoliciesListResponse.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts new file mode 100644 index 000000000000..25bb7dc0478c --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyAttributes.ts @@ -0,0 +1,172 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * A Cloud Workload Security Agent policy returned by the API + */ +export class CloudWorkloadSecurityAgentPolicyAttributes { + /** + * The number of rules with the blocking feature in this policy + */ + "blockingRulesCount"?: number; + /** + * Whether the policy is managed by Datadog + */ + "datadogManaged"?: boolean; + /** + * The description of the policy + */ + "description"?: string; + /** + * The number of rules that are disabled in this policy + */ + "disabledRulesCount"?: number; + /** + * Whether the Agent policy is enabled + */ + "enabled"?: boolean; + /** + * The host tags defining where this policy is deployed + */ + "hostTags"?: Array; + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + */ + "hostTagsLists"?: Array>; + /** + * The number of rules in the monitoring state in this policy + */ + "monitoringRulesCount"?: number; + /** + * The name of the policy + */ + "name"?: string; + /** + * The version of the policy + */ + "policyVersion"?: string; + /** + * The priority of the policy + */ + "priority"?: number; + /** + * The number of rules in this policy + */ + "ruleCount"?: number; + /** + * Timestamp in milliseconds when the policy was last updated + */ + "updateDate"?: number; + /** + * When the policy was last updated, timestamp in milliseconds + */ + "updatedAt"?: number; + /** + * The attributes of the user who last updated the policy + */ + "updater"?: CloudWorkloadSecurityAgentPolicyUpdaterAttributes; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + blockingRulesCount: { + baseName: "blockingRulesCount", + type: "number", + format: "int32", + }, + datadogManaged: { + baseName: "datadogManaged", + type: "boolean", + }, + description: { + baseName: "description", + type: "string", + }, + disabledRulesCount: { + baseName: "disabledRulesCount", + type: "number", + format: "int32", + }, + enabled: { + baseName: "enabled", + type: "boolean", + }, + hostTags: { + baseName: "hostTags", + type: "Array", + }, + hostTagsLists: { + baseName: "hostTagsLists", + type: "Array>", + }, + monitoringRulesCount: { + baseName: "monitoringRulesCount", + type: "number", + format: "int32", + }, + name: { + baseName: "name", + type: "string", + }, + policyVersion: { + baseName: "policyVersion", + type: "string", + }, + priority: { + baseName: "priority", + type: "number", + format: "int64", + }, + ruleCount: { + baseName: "ruleCount", + type: "number", + format: "int32", + }, + updateDate: { + baseName: "updateDate", + type: "number", + format: "int64", + }, + updatedAt: { + baseName: "updatedAt", + type: "number", + format: "int64", + }, + updater: { + baseName: "updater", + type: "CloudWorkloadSecurityAgentPolicyUpdaterAttributes", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyAttributes.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateAttributes.ts new file mode 100644 index 000000000000..24dd13fb7134 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateAttributes.ts @@ -0,0 +1,85 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Create a new Cloud Workload Security Agent policy + */ +export class CloudWorkloadSecurityAgentPolicyCreateAttributes { + /** + * The description of the policy + */ + "description"?: string; + /** + * Whether the policy is enabled + */ + "enabled"?: boolean; + /** + * The host tags defining where this policy is deployed + */ + "hostTags"?: Array; + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + */ + "hostTagsLists"?: Array>; + /** + * The name of the policy + */ + "name": string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + description: { + baseName: "description", + type: "string", + }, + enabled: { + baseName: "enabled", + type: "boolean", + }, + hostTags: { + baseName: "hostTags", + type: "Array", + }, + hostTagsLists: { + baseName: "hostTagsLists", + type: "Array>", + }, + name: { + baseName: "name", + type: "string", + required: true, + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyCreateAttributes.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateData.ts new file mode 100644 index 000000000000..b45f4acfcef6 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateData.ts @@ -0,0 +1,64 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyCreateAttributes } from "./CloudWorkloadSecurityAgentPolicyCreateAttributes"; +import { CloudWorkloadSecurityAgentPolicyType } from "./CloudWorkloadSecurityAgentPolicyType"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Object for a single Agent rule + */ +export class CloudWorkloadSecurityAgentPolicyCreateData { + /** + * Create a new Cloud Workload Security Agent policy + */ + "attributes": CloudWorkloadSecurityAgentPolicyCreateAttributes; + /** + * The type of the resource, must always be `policy` + */ + "type": CloudWorkloadSecurityAgentPolicyType; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + attributes: { + baseName: "attributes", + type: "CloudWorkloadSecurityAgentPolicyCreateAttributes", + required: true, + }, + type: { + baseName: "type", + type: "CloudWorkloadSecurityAgentPolicyType", + required: true, + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyCreateData.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateRequest.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateRequest.ts new file mode 100644 index 000000000000..ec649a7e4941 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyCreateRequest.ts @@ -0,0 +1,54 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyCreateData } from "./CloudWorkloadSecurityAgentPolicyCreateData"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Request object that includes the Agent policy to create + */ +export class CloudWorkloadSecurityAgentPolicyCreateRequest { + /** + * Object for a single Agent rule + */ + "data": CloudWorkloadSecurityAgentPolicyCreateData; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + data: { + baseName: "data", + type: "CloudWorkloadSecurityAgentPolicyCreateData", + required: true, + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyCreateRequest.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyData.ts new file mode 100644 index 000000000000..97ef2b25aaa8 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyData.ts @@ -0,0 +1,70 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyAttributes } from "./CloudWorkloadSecurityAgentPolicyAttributes"; +import { CloudWorkloadSecurityAgentPolicyType } from "./CloudWorkloadSecurityAgentPolicyType"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Object for a single Agent policy + */ +export class CloudWorkloadSecurityAgentPolicyData { + /** + * A Cloud Workload Security Agent policy returned by the API + */ + "attributes"?: CloudWorkloadSecurityAgentPolicyAttributes; + /** + * The ID of the Agent policy + */ + "id"?: string; + /** + * The type of the resource, must always be `policy` + */ + "type"?: CloudWorkloadSecurityAgentPolicyType; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + attributes: { + baseName: "attributes", + type: "CloudWorkloadSecurityAgentPolicyAttributes", + }, + id: { + baseName: "id", + type: "string", + }, + type: { + baseName: "type", + type: "CloudWorkloadSecurityAgentPolicyType", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyData.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyResponse.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyResponse.ts new file mode 100644 index 000000000000..091f1b349069 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyResponse.ts @@ -0,0 +1,53 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyData } from "./CloudWorkloadSecurityAgentPolicyData"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Response object that includes an Agent policy + */ +export class CloudWorkloadSecurityAgentPolicyResponse { + /** + * Object for a single Agent policy + */ + "data"?: CloudWorkloadSecurityAgentPolicyData; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + data: { + baseName: "data", + type: "CloudWorkloadSecurityAgentPolicyData", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyResponse.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyType.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyType.ts new file mode 100644 index 000000000000..e2dfde09b687 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyType.ts @@ -0,0 +1,16 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ + +import { UnparsedObject } from "../../datadog-api-client-common/util"; + +/** + * The type of the resource, must always be `policy` + */ + +export type CloudWorkloadSecurityAgentPolicyType = + | typeof POLICY + | UnparsedObject; +export const POLICY = "policy"; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateAttributes.ts new file mode 100644 index 000000000000..cd0e0ef95cdd --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateAttributes.ts @@ -0,0 +1,84 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Update an existing Cloud Workload Security Agent policy + */ +export class CloudWorkloadSecurityAgentPolicyUpdateAttributes { + /** + * The description of the policy + */ + "description"?: string; + /** + * Whether the policy is enabled + */ + "enabled"?: boolean; + /** + * The host tags defining where this policy is deployed + */ + "hostTags"?: Array; + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the outer values are linked with OR + */ + "hostTagsLists"?: Array>; + /** + * The name of the policy + */ + "name"?: string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + description: { + baseName: "description", + type: "string", + }, + enabled: { + baseName: "enabled", + type: "boolean", + }, + hostTags: { + baseName: "hostTags", + type: "Array", + }, + hostTagsLists: { + baseName: "hostTagsLists", + type: "Array>", + }, + name: { + baseName: "name", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyUpdateAttributes.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateData.ts new file mode 100644 index 000000000000..0b061995a7d3 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateData.ts @@ -0,0 +1,72 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyType } from "./CloudWorkloadSecurityAgentPolicyType"; +import { CloudWorkloadSecurityAgentPolicyUpdateAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdateAttributes"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Object for a single Agent policy + */ +export class CloudWorkloadSecurityAgentPolicyUpdateData { + /** + * Update an existing Cloud Workload Security Agent policy + */ + "attributes": CloudWorkloadSecurityAgentPolicyUpdateAttributes; + /** + * The ID of the Agent policy + */ + "id"?: string; + /** + * The type of the resource, must always be `policy` + */ + "type": CloudWorkloadSecurityAgentPolicyType; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + attributes: { + baseName: "attributes", + type: "CloudWorkloadSecurityAgentPolicyUpdateAttributes", + required: true, + }, + id: { + baseName: "id", + type: "string", + }, + type: { + baseName: "type", + type: "CloudWorkloadSecurityAgentPolicyType", + required: true, + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyUpdateData.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateRequest.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateRequest.ts new file mode 100644 index 000000000000..62d9f212ae3b --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdateRequest.ts @@ -0,0 +1,54 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { CloudWorkloadSecurityAgentPolicyUpdateData } from "./CloudWorkloadSecurityAgentPolicyUpdateData"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Request object that includes the Agent policy with the attributes to update + */ +export class CloudWorkloadSecurityAgentPolicyUpdateRequest { + /** + * Object for a single Agent policy + */ + "data": CloudWorkloadSecurityAgentPolicyUpdateData; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + data: { + baseName: "data", + type: "CloudWorkloadSecurityAgentPolicyUpdateData", + required: true, + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyUpdateRequest.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.ts new file mode 100644 index 000000000000..0e9333b8edc0 --- /dev/null +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.ts @@ -0,0 +1,60 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * The attributes of the user who last updated the policy + */ +export class CloudWorkloadSecurityAgentPolicyUpdaterAttributes { + /** + * The handle of the user + */ + "handle"?: string; + /** + * The name of the user + */ + "name"?: string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + handle: { + baseName: "handle", + type: "string", + }, + name: { + baseName: "name", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "any", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return CloudWorkloadSecurityAgentPolicyUpdaterAttributes.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAction.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAction.ts index 95ad05deff4d..170da9d3a7c7 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAction.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAction.ts @@ -8,7 +8,7 @@ import { CloudWorkloadSecurityAgentRuleKill } from "./CloudWorkloadSecurityAgent import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * The action the rule can perform if triggered. + * The action the rule can perform if triggered */ export class CloudWorkloadSecurityAgentRuleAction { /** diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts index 2d21a0a29539..0e62ba3f8236 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleAttributes.ts @@ -10,75 +10,79 @@ import { CloudWorkloadSecurityAgentRuleUpdaterAttributes } from "./CloudWorkload import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * A Cloud Workload Security Agent rule returned by the API. + * A Cloud Workload Security Agent rule returned by the API */ export class CloudWorkloadSecurityAgentRuleAttributes { /** - * The array of actions the rule can perform if triggered. + * The array of actions the rule can perform if triggered */ "actions"?: Array; /** - * The version of the agent. + * The version of the Agent */ "agentConstraint"?: string; /** - * The category of the Agent rule. + * The category of the Agent rule */ "category"?: string; /** - * The ID of the user who created the rule. + * The ID of the user who created the rule */ "creationAuthorUuId"?: string; /** - * When the Agent rule was created, timestamp in milliseconds. + * When the Agent rule was created, timestamp in milliseconds */ "creationDate"?: number; /** - * The attributes of the user who created the Agent rule. + * The attributes of the user who created the Agent rule */ "creator"?: CloudWorkloadSecurityAgentRuleCreatorAttributes; /** - * Whether the rule is included by default. + * Whether the rule is included by default */ "defaultRule"?: boolean; /** - * The description of the Agent rule. + * The description of the Agent rule */ "description"?: string; /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled */ "enabled"?: boolean; /** - * The SECL expression of the Agent rule. + * The SECL expression of the Agent rule */ "expression"?: string; /** - * The platforms the Agent rule is supported on. + * The platforms the Agent rule is supported on */ "filters"?: Array; /** - * The name of the Agent rule. + * The name of the Agent rule */ "name"?: string; /** - * The ID of the user who updated the rule. + * The list of product tags associated with the rule + */ + "productTags"?: Array; + /** + * The ID of the user who updated the rule */ "updateAuthorUuId"?: string; /** - * Timestamp in milliseconds when the Agent rule was last updated. + * Timestamp in milliseconds when the Agent rule was last updated */ "updateDate"?: number; /** - * When the Agent rule was last updated, timestamp in milliseconds. + * When the Agent rule was last updated, timestamp in milliseconds */ "updatedAt"?: number; /** - * The attributes of the user who last updated the Agent rule. + * The attributes of the user who last updated the Agent rule */ "updater"?: CloudWorkloadSecurityAgentRuleUpdaterAttributes; /** - * The version of the Agent rule. + * The version of the Agent rule */ "version"?: number; @@ -147,6 +151,10 @@ export class CloudWorkloadSecurityAgentRuleAttributes { baseName: "name", type: "string", }, + productTags: { + baseName: "product_tags", + type: "Array", + }, updateAuthorUuId: { baseName: "updateAuthorUuId", type: "string", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts index b5f36846fdbe..2bd3cd71d275 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateAttributes.ts @@ -15,7 +15,7 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "description"?: string; /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled */ "enabled"?: boolean; /** @@ -23,13 +23,21 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { */ "expression": string; /** - * The platforms the Agent rule is supported on. + * The platforms the Agent rule is supported on */ "filters"?: Array; /** * The name of the Agent rule. */ "name": string; + /** + * The ID of the policy where the Agent rule is saved + */ + "policyId"?: string; + /** + * The list of product tags associated with the rule + */ + "productTags"?: Array; /** * A container for additional, undeclared properties. @@ -69,6 +77,14 @@ export class CloudWorkloadSecurityAgentRuleCreateAttributes { type: "string", required: true, }, + policyId: { + baseName: "policy_id", + type: "string", + }, + productTags: { + baseName: "product_tags", + type: "Array", + }, additionalProperties: { baseName: "additionalProperties", type: "any", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateData.ts index 74fefb98f540..9ffda1b0bae8 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateData.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateData.ts @@ -9,7 +9,7 @@ import { CloudWorkloadSecurityAgentRuleType } from "./CloudWorkloadSecurityAgent import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Object for a single Agent rule. + * Object for a single Agent rule */ export class CloudWorkloadSecurityAgentRuleCreateData { /** @@ -17,7 +17,7 @@ export class CloudWorkloadSecurityAgentRuleCreateData { */ "attributes": CloudWorkloadSecurityAgentRuleCreateAttributes; /** - * The type of the resource. The value should always be `agent_rule`. + * The type of the resource, must always be `agent_rule` */ "type": CloudWorkloadSecurityAgentRuleType; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateRequest.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateRequest.ts index 4d43602920ab..b34d93414689 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateRequest.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreateRequest.ts @@ -8,11 +8,11 @@ import { CloudWorkloadSecurityAgentRuleCreateData } from "./CloudWorkloadSecurit import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Request object that includes the Agent rule to create. + * Request object that includes the Agent rule to create */ export class CloudWorkloadSecurityAgentRuleCreateRequest { /** - * Object for a single Agent rule. + * Object for a single Agent rule */ "data": CloudWorkloadSecurityAgentRuleCreateData; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreatorAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreatorAttributes.ts index 2517d2e90a82..d381ea0a4caf 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreatorAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleCreatorAttributes.ts @@ -7,15 +7,15 @@ import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * The attributes of the user who created the Agent rule. + * The attributes of the user who created the Agent rule */ export class CloudWorkloadSecurityAgentRuleCreatorAttributes { /** - * The handle of the user. + * The handle of the user */ "handle"?: string; /** - * The name of the user. + * The name of the user */ "name"?: string; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleData.ts index ec0ba13ae79c..f411f4bd6145 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleData.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleData.ts @@ -9,19 +9,19 @@ import { CloudWorkloadSecurityAgentRuleType } from "./CloudWorkloadSecurityAgent import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Object for a single Agent rule. + * Object for a single Agent rule */ export class CloudWorkloadSecurityAgentRuleData { /** - * A Cloud Workload Security Agent rule returned by the API. + * A Cloud Workload Security Agent rule returned by the API */ "attributes"?: CloudWorkloadSecurityAgentRuleAttributes; /** - * The ID of the Agent rule. + * The ID of the Agent rule */ "id"?: string; /** - * The type of the resource. The value should always be `agent_rule`. + * The type of the resource, must always be `agent_rule` */ "type"?: CloudWorkloadSecurityAgentRuleType; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleKill.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleKill.ts index f7a46d8c21c1..33219591c98c 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleKill.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleKill.ts @@ -11,7 +11,7 @@ import { AttributeTypeMap } from "../../datadog-api-client-common/util"; */ export class CloudWorkloadSecurityAgentRuleKill { /** - * Supported signals for the kill system call. + * Supported signals for the kill system call */ "signal"?: string; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleResponse.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleResponse.ts index 8a7ff7a2b640..4c2f9bc7a56e 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleResponse.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleResponse.ts @@ -8,11 +8,11 @@ import { CloudWorkloadSecurityAgentRuleData } from "./CloudWorkloadSecurityAgent import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Response object that includes an Agent rule. + * Response object that includes an Agent rule */ export class CloudWorkloadSecurityAgentRuleResponse { /** - * Object for a single Agent rule. + * Object for a single Agent rule */ "data"?: CloudWorkloadSecurityAgentRuleData; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleType.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleType.ts index 90039a5fa8c9..ae9a22125555 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleType.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleType.ts @@ -7,7 +7,7 @@ import { UnparsedObject } from "../../datadog-api-client-common/util"; /** - * The type of the resource. The value should always be `agent_rule`. + * The type of the resource, must always be `agent_rule` */ export type CloudWorkloadSecurityAgentRuleType = diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts index afae71721927..a0a6c16f7023 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateAttributes.ts @@ -7,21 +7,29 @@ import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Update an existing Cloud Workload Security Agent rule. + * Update an existing Cloud Workload Security Agent rule */ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { /** - * The description of the Agent rule. + * The description of the Agent rule */ "description"?: string; /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled */ "enabled"?: boolean; /** - * The SECL expression of the Agent rule. + * The SECL expression of the Agent rule */ "expression"?: string; + /** + * The ID of the policy where the Agent rule is saved + */ + "policyId"?: string; + /** + * The list of product tags associated with the rule + */ + "productTags"?: Array; /** * A container for additional, undeclared properties. @@ -51,6 +59,14 @@ export class CloudWorkloadSecurityAgentRuleUpdateAttributes { baseName: "expression", type: "string", }, + policyId: { + baseName: "policy_id", + type: "string", + }, + productTags: { + baseName: "product_tags", + type: "Array", + }, additionalProperties: { baseName: "additionalProperties", type: "any", diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateData.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateData.ts index 5892903c00ca..c68f9472423f 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateData.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateData.ts @@ -9,19 +9,19 @@ import { CloudWorkloadSecurityAgentRuleUpdateAttributes } from "./CloudWorkloadS import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Object for a single Agent rule. + * Object for a single Agent rule */ export class CloudWorkloadSecurityAgentRuleUpdateData { /** - * Update an existing Cloud Workload Security Agent rule. + * Update an existing Cloud Workload Security Agent rule */ "attributes": CloudWorkloadSecurityAgentRuleUpdateAttributes; /** - * The ID of the agent rule. + * The ID of the Agent rule */ "id"?: string; /** - * The type of the resource. The value should always be `agent_rule`. + * The type of the resource, must always be `agent_rule` */ "type": CloudWorkloadSecurityAgentRuleType; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateRequest.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateRequest.ts index 46c36b1db08c..8d71981e0257 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateRequest.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdateRequest.ts @@ -8,11 +8,11 @@ import { CloudWorkloadSecurityAgentRuleUpdateData } from "./CloudWorkloadSecurit import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Request object that includes the Agent rule with the attributes to update. + * Request object that includes the Agent rule with the attributes to update */ export class CloudWorkloadSecurityAgentRuleUpdateRequest { /** - * Object for a single Agent rule. + * Object for a single Agent rule */ "data": CloudWorkloadSecurityAgentRuleUpdateData; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdaterAttributes.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdaterAttributes.ts index e134643a22bb..6dd026f6b314 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdaterAttributes.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRuleUpdaterAttributes.ts @@ -7,15 +7,15 @@ import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * The attributes of the user who last updated the Agent rule. + * The attributes of the user who last updated the Agent rule */ export class CloudWorkloadSecurityAgentRuleUpdaterAttributes { /** - * The handle of the user. + * The handle of the user */ "handle"?: string; /** - * The name of the user. + * The name of the user */ "name"?: string; diff --git a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRulesListResponse.ts b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRulesListResponse.ts index 7266eed76ff7..f19adcc79f43 100644 --- a/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRulesListResponse.ts +++ b/packages/datadog-api-client-v2/models/CloudWorkloadSecurityAgentRulesListResponse.ts @@ -8,11 +8,11 @@ import { CloudWorkloadSecurityAgentRuleData } from "./CloudWorkloadSecurityAgent import { AttributeTypeMap } from "../../datadog-api-client-common/util"; /** - * Response object that includes a list of Agent rule. + * Response object that includes a list of Agent rule */ export class CloudWorkloadSecurityAgentRulesListResponse { /** - * A list of Agent rules objects. + * A list of Agent rules objects */ "data"?: Array; diff --git a/packages/datadog-api-client-v2/models/ObjectSerializer.ts b/packages/datadog-api-client-v2/models/ObjectSerializer.ts index 1892f3fadb37..dc82d33da170 100644 --- a/packages/datadog-api-client-v2/models/ObjectSerializer.ts +++ b/packages/datadog-api-client-v2/models/ObjectSerializer.ts @@ -279,6 +279,17 @@ import { CloudConfigurationRuleComplianceSignalOptions } from "./CloudConfigurat import { CloudConfigurationRuleCreatePayload } from "./CloudConfigurationRuleCreatePayload"; import { CloudConfigurationRuleOptions } from "./CloudConfigurationRuleOptions"; import { CloudConfigurationRulePayload } from "./CloudConfigurationRulePayload"; +import { CloudWorkloadSecurityAgentPoliciesListResponse } from "./CloudWorkloadSecurityAgentPoliciesListResponse"; +import { CloudWorkloadSecurityAgentPolicyAttributes } from "./CloudWorkloadSecurityAgentPolicyAttributes"; +import { CloudWorkloadSecurityAgentPolicyCreateAttributes } from "./CloudWorkloadSecurityAgentPolicyCreateAttributes"; +import { CloudWorkloadSecurityAgentPolicyCreateData } from "./CloudWorkloadSecurityAgentPolicyCreateData"; +import { CloudWorkloadSecurityAgentPolicyCreateRequest } from "./CloudWorkloadSecurityAgentPolicyCreateRequest"; +import { CloudWorkloadSecurityAgentPolicyData } from "./CloudWorkloadSecurityAgentPolicyData"; +import { CloudWorkloadSecurityAgentPolicyResponse } from "./CloudWorkloadSecurityAgentPolicyResponse"; +import { CloudWorkloadSecurityAgentPolicyUpdateAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdateAttributes"; +import { CloudWorkloadSecurityAgentPolicyUpdateData } from "./CloudWorkloadSecurityAgentPolicyUpdateData"; +import { CloudWorkloadSecurityAgentPolicyUpdateRequest } from "./CloudWorkloadSecurityAgentPolicyUpdateRequest"; +import { CloudWorkloadSecurityAgentPolicyUpdaterAttributes } from "./CloudWorkloadSecurityAgentPolicyUpdaterAttributes"; import { CloudWorkloadSecurityAgentRuleAction } from "./CloudWorkloadSecurityAgentRuleAction"; import { CloudWorkloadSecurityAgentRuleAttributes } from "./CloudWorkloadSecurityAgentRuleAttributes"; import { CloudWorkloadSecurityAgentRuleCreateAttributes } from "./CloudWorkloadSecurityAgentRuleCreateAttributes"; @@ -1987,6 +1998,7 @@ const enumsMap: { [key: string]: any[] } = { ], ChangeEventCustomAttributesImpactedResourcesItemsType: ["service"], CloudConfigurationRuleType: ["cloud_configuration"], + CloudWorkloadSecurityAgentPolicyType: ["policy"], CloudWorkloadSecurityAgentRuleType: ["agent_rule"], CloudflareAccountType: ["cloudflare-accounts"], CompletionConditionOperator: [ @@ -3174,6 +3186,27 @@ const typeMap: { [index: string]: any } = { CloudConfigurationRuleCreatePayload: CloudConfigurationRuleCreatePayload, CloudConfigurationRuleOptions: CloudConfigurationRuleOptions, CloudConfigurationRulePayload: CloudConfigurationRulePayload, + CloudWorkloadSecurityAgentPoliciesListResponse: + CloudWorkloadSecurityAgentPoliciesListResponse, + CloudWorkloadSecurityAgentPolicyAttributes: + CloudWorkloadSecurityAgentPolicyAttributes, + CloudWorkloadSecurityAgentPolicyCreateAttributes: + CloudWorkloadSecurityAgentPolicyCreateAttributes, + CloudWorkloadSecurityAgentPolicyCreateData: + CloudWorkloadSecurityAgentPolicyCreateData, + CloudWorkloadSecurityAgentPolicyCreateRequest: + CloudWorkloadSecurityAgentPolicyCreateRequest, + CloudWorkloadSecurityAgentPolicyData: CloudWorkloadSecurityAgentPolicyData, + CloudWorkloadSecurityAgentPolicyResponse: + CloudWorkloadSecurityAgentPolicyResponse, + CloudWorkloadSecurityAgentPolicyUpdateAttributes: + CloudWorkloadSecurityAgentPolicyUpdateAttributes, + CloudWorkloadSecurityAgentPolicyUpdateData: + CloudWorkloadSecurityAgentPolicyUpdateData, + CloudWorkloadSecurityAgentPolicyUpdateRequest: + CloudWorkloadSecurityAgentPolicyUpdateRequest, + CloudWorkloadSecurityAgentPolicyUpdaterAttributes: + CloudWorkloadSecurityAgentPolicyUpdaterAttributes, CloudWorkloadSecurityAgentRuleAction: CloudWorkloadSecurityAgentRuleAction, CloudWorkloadSecurityAgentRuleAttributes: CloudWorkloadSecurityAgentRuleAttributes,