From 59ba3c1841c5628f41ee054da5b9ba9fcdb1fa7b Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Fri, 18 Apr 2025 09:54:24 +0000 Subject: [PATCH] Regenerate client from commit 5f0a41bc of spec repo --- .apigentools-info | 8 +- .generator/schemas/v2/openapi.yaml | 513 +++++++- .../CreateCSMThreatsAgentPolicy.java | 43 + .../CreateCSMThreatsAgentRule.java | 10 +- .../CreateCloudWorkloadSecurityAgentRule.java | 2 +- .../DeleteCSMThreatsAgentPolicy.java | 25 + .../DeleteCSMThreatsAgentRule.java | 8 +- .../csm-threats/GetCSMThreatsAgentPolicy.java | 28 + .../csm-threats/GetCSMThreatsAgentRule.java | 8 +- .../ListCSMThreatsAgentPolicies.java | 25 + .../UpdateCSMThreatsAgentPolicy.java | 47 + .../UpdateCSMThreatsAgentRule.java | 18 +- .../UpdateCloudWorkloadSecurityAgentRule.java | 7 +- .../api/client/v2/api/CsmThreatsApi.java | 1138 +++++++++++++++-- ...loadSecurityAgentPoliciesListResponse.java | 155 +++ ...WorkloadSecurityAgentPolicyAttributes.java | 568 ++++++++ ...adSecurityAgentPolicyCreateAttributes.java | 281 ++++ ...WorkloadSecurityAgentPolicyCreateData.java | 188 +++ ...kloadSecurityAgentPolicyCreateRequest.java | 151 +++ .../CloudWorkloadSecurityAgentPolicyData.java | 199 +++ ...udWorkloadSecurityAgentPolicyResponse.java | 139 ++ .../CloudWorkloadSecurityAgentPolicyType.java | 59 + ...adSecurityAgentPolicyUpdateAttributes.java | 273 ++++ ...WorkloadSecurityAgentPolicyUpdateData.java | 215 ++++ ...kloadSecurityAgentPolicyUpdateRequest.java | 151 +++ ...dSecurityAgentPolicyUpdaterAttributes.java | 180 +++ .../CloudWorkloadSecurityAgentRuleAction.java | 2 +- ...udWorkloadSecurityAgentRuleAttributes.java | 72 +- ...loadSecurityAgentRuleCreateAttributes.java | 79 +- ...udWorkloadSecurityAgentRuleCreateData.java | 4 +- ...orkloadSecurityAgentRuleCreateRequest.java | 4 +- ...oadSecurityAgentRuleCreatorAttributes.java | 6 +- .../CloudWorkloadSecurityAgentRuleData.java | 8 +- .../CloudWorkloadSecurityAgentRuleKill.java | 2 +- ...loudWorkloadSecurityAgentRuleResponse.java | 4 +- .../CloudWorkloadSecurityAgentRuleType.java | 2 +- ...loadSecurityAgentRuleUpdateAttributes.java | 78 +- ...udWorkloadSecurityAgentRuleUpdateData.java | 8 +- ...orkloadSecurityAgentRuleUpdateRequest.java | 4 +- ...oadSecurityAgentRuleUpdaterAttributes.java | 6 +- ...orkloadSecurityAgentRulesListResponse.java | 4 +- ...policy_returns_Bad_Request_response.freeze | 1 + ...t_policy_returns_Bad_Request_response.json | 32 + ...ts_Agent_policy_returns_OK_response.freeze | 1 + ...eats_Agent_policy_returns_OK_response.json | 57 + ...t_rule_returns_Bad_Request_response.freeze | 2 +- ...ent_rule_returns_Bad_Request_response.json | 61 +- ...eats_Agent_rule_returns_OK_response.freeze | 2 +- ...hreats_Agent_rule_returns_OK_response.json | 65 +- ...t_rule_returns_Bad_Request_response.freeze | 2 +- ...ent_rule_returns_Bad_Request_response.json | 61 +- ...rity_Agent_rule_returns_OK_response.freeze | 2 +- ...curity_Agent_rule_returns_OK_response.json | 65 +- ...t_policy_returns_Not_Found_response.freeze | 1 + ...ent_policy_returns_Not_Found_response.json | 28 + ...ts_Agent_policy_returns_OK_response.freeze | 1 + ...eats_Agent_policy_returns_OK_response.json | 83 ++ ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 4 +- ...eats_Agent_rule_returns_OK_response.freeze | 2 +- ...hreats_Agent_rule_returns_OK_response.json | 74 +- ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 6 +- ...rity_Agent_rule_returns_OK_response.freeze | 2 +- ...curity_Agent_rule_returns_OK_response.json | 16 +- ...t_policy_returns_Not_Found_response.freeze | 1 + ...ent_policy_returns_Not_Found_response.json | 28 + ...ts_Agent_policy_returns_OK_response.freeze | 1 + ...eats_Agent_policy_returns_OK_response.json | 83 ++ ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 4 +- ...eats_Agent_rule_returns_OK_response.freeze | 2 +- ...hreats_Agent_rule_returns_OK_response.json | 76 +- ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 6 +- ...rity_Agent_rule_returns_OK_response.freeze | 2 +- ...curity_Agent_rule_returns_OK_response.json | 16 +- ..._Agent_policies_returns_OK_response.freeze | 1 + ...ts_Agent_policies_returns_OK_response.json | 28 + ...ats_Agent_rules_returns_OK_response.freeze | 2 +- ...reats_Agent_rules_returns_OK_response.json | 2 +- ...ity_Agent_rules_returns_OK_response.freeze | 2 +- ...urity_Agent_rules_returns_OK_response.json | 53 +- ..._Threats_policy_returns_OK_response.freeze | 2 +- ...SM_Threats_policy_returns_OK_response.json | 2 +- ...Security_policy_returns_OK_response.freeze | 2 +- ...d_Security_policy_returns_OK_response.json | 2 +- ...policy_returns_Bad_Request_response.freeze | 1 + ...t_policy_returns_Bad_Request_response.json | 87 ++ ...t_policy_returns_Not_Found_response.freeze | 1 + ...ent_policy_returns_Not_Found_response.json | 32 + ...ts_Agent_policy_returns_OK_response.freeze | 1 + ...eats_Agent_policy_returns_OK_response.json | 87 ++ ...t_rule_returns_Bad_Request_response.freeze | 2 +- ...ent_rule_returns_Bad_Request_response.json | 73 +- ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 61 +- ...eats_Agent_rule_returns_OK_response.freeze | 2 +- ...hreats_Agent_rule_returns_OK_response.json | 78 +- ...t_rule_returns_Bad_Request_response.freeze | 2 +- ...ent_rule_returns_Bad_Request_response.json | 18 +- ...ent_rule_returns_Not_Found_response.freeze | 2 +- ...Agent_rule_returns_Not_Found_response.json | 8 +- ...rity_Agent_rule_returns_OK_response.freeze | 2 +- ...curity_Agent_rule_returns_OK_response.json | 18 +- .../api/client/v2/api/csm_threats.feature | 189 ++- .../com/datadog/api/client/v2/api/given.json | 14 +- .../com/datadog/api/client/v2/api/undo.json | 37 + 108 files changed, 5887 insertions(+), 443 deletions(-) create mode 100644 examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java create mode 100644 examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java create mode 100644 examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java create mode 100644 examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java create mode 100644 examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPoliciesListResponse.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyAttributes.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateAttributes.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateData.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateRequest.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyData.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyResponse.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyType.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateAttributes.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateData.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateRequest.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.java create mode 100644 src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json create mode 100644 src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json create mode 100644 src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json create mode 100644 src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json create mode 100644 src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json create mode 100644 src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json create mode 100644 src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json diff --git a/.apigentools-info b/.apigentools-info index 89fe27797f1..b7d231afb87 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-04-17 13:26:18.289754", - "spec_repo_commit": "12ab5180" + "regenerated": "2025-04-18 09:52:24.965114", + "spec_repo_commit": "5f0a41bc" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-04-17 13:26:18.308287", - "spec_repo_commit": "12ab5180" + "regenerated": "2025-04-18 09:52:24.981373", + "spec_repo_commit": "5f0a41bc" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index a191ada020a..2277752c2b1 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -209,13 +209,29 @@ components: schema: type: string CloudWorkloadSecurityAgentRuleID: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3b5-v82-ns6 in: path name: agent_rule_id required: true schema: type: string + CloudWorkloadSecurityPathAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: path + name: policy_id + required: true + schema: + type: string + CloudWorkloadSecurityQueryAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + in: query + name: policy_id + required: false + schema: + type: string ConfluentAccountID: description: Confluent Account ID. in: path @@ -7020,8 +7036,240 @@ components: type: string x-enum-varnames: - CLOUD_CONFIGURATION + CloudWorkloadSecurityAgentPoliciesListResponse: + description: Response object that includes a list of Agent policies + properties: + data: + description: A list of Agent policy objects + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: array + type: object + CloudWorkloadSecurityAgentPolicyAttributes: + description: A Cloud Workload Security Agent policy returned by the API + properties: + blockingRulesCount: + description: The number of rules with the blocking feature in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + datadogManaged: + description: Whether the policy is managed by Datadog + example: false + type: boolean + description: + description: The description of the policy + example: My agent policy + type: string + disabledRulesCount: + description: The number of rules that are disabled in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + enabled: + description: Whether the Agent policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + monitoringRulesCount: + description: The number of rules in the monitoring state in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + name: + description: The name of the policy + example: my_agent_policy + type: string + policyVersion: + description: The version of the policy + example: '1' + type: string + priority: + description: The priority of the policy + example: 10 + format: int64 + type: integer + ruleCount: + description: The number of rules in this policy + example: 100 + format: int32 + maximum: 2147483647 + type: integer + updateDate: + description: Timestamp in milliseconds when the policy was last updated + example: 1624366480320 + format: int64 + type: integer + updatedAt: + description: When the policy was last updated, timestamp in milliseconds + example: 1624366480320 + format: int64 + type: integer + updater: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + type: object + CloudWorkloadSecurityAgentPolicyCreateAttributes: + description: Create a new Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + required: + - name + type: object + CloudWorkloadSecurityAgentPolicyCreateData: + description: Object for a single Agent rule + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateAttributes' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyCreateRequest: + description: Request object that includes the Agent policy to create + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyAttributes' + id: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + type: object + CloudWorkloadSecurityAgentPolicyID: + description: The ID of the Agent policy + example: 6517fcc1-cec7-4394-a655-8d6e9d085255 + type: string + CloudWorkloadSecurityAgentPolicyResponse: + description: Response object that includes an Agent policy + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyData' + type: object + CloudWorkloadSecurityAgentPolicyType: + default: policy + description: The type of the resource, must always be `policy` + enum: + - policy + example: policy + type: string + x-enum-varnames: + - POLICY + CloudWorkloadSecurityAgentPolicyUpdateAttributes: + description: Update an existing Cloud Workload Security Agent policy + properties: + description: + description: The description of the policy + example: My agent policy + type: string + enabled: + description: Whether the policy is enabled + example: true + type: boolean + hostTags: + description: The host tags defining where this policy is deployed + items: + type: string + type: array + hostTagsLists: + description: The host tags defining where this policy is deployed, the inner + values are linked with AND, the outer values are linked with OR + items: + items: + type: string + type: array + type: array + name: + description: The name of the policy + example: my_agent_policy + type: string + type: object + CloudWorkloadSecurityAgentPolicyUpdateData: + description: Object for a single Agent policy + properties: + attributes: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateAttributes' + id: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyID' + type: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyType' + required: + - attributes + - type + type: object + CloudWorkloadSecurityAgentPolicyUpdateRequest: + description: Request object that includes the Agent policy with the attributes + to update + properties: + data: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateData' + required: + - data + type: object + CloudWorkloadSecurityAgentPolicyUpdaterAttributes: + description: The attributes of the user who last updated the policy + properties: + handle: + description: The handle of the user + example: datadog.user@example.com + type: string + name: + description: The name of the user + example: Datadog User + nullable: true + type: string + type: object CloudWorkloadSecurityAgentRuleAction: - description: The action the rule can perform if triggered. + description: The action the rule can perform if triggered properties: filter: description: SECL expression used to target the container to apply the action @@ -7031,77 +7279,82 @@ components: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' type: object CloudWorkloadSecurityAgentRuleActions: - description: The array of actions the rule can perform if triggered. + description: The array of actions the rule can perform if triggered items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAction' nullable: true type: array CloudWorkloadSecurityAgentRuleAttributes: - description: A Cloud Workload Security Agent rule returned by the API. + description: A Cloud Workload Security Agent rule returned by the API properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' agentConstraint: - description: The version of the agent. + description: The version of the Agent type: string category: - description: The category of the Agent rule. + description: The category of the Agent rule example: Process Activity type: string creationAuthorUuId: - description: The ID of the user who created the rule. + description: The ID of the user who created the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string creationDate: - description: When the Agent rule was created, timestamp in milliseconds. + description: When the Agent rule was created, timestamp in milliseconds example: 1624366480320 format: int64 type: integer creator: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreatorAttributes' defaultRule: - description: Whether the rule is included by default. + description: Whether the rule is included by default example: false type: boolean description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array name: - description: The name of the Agent rule. + description: The name of the Agent rule example: my_agent_rule type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array updateAuthorUuId: - description: The ID of the user who updated the rule. + description: The ID of the user who updated the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 type: string updateDate: - description: Timestamp in milliseconds when the Agent rule was last updated. + description: Timestamp in milliseconds when the Agent rule was last updated example: 1624366480320 format: int64 type: integer updatedAt: - description: When the Agent rule was last updated, timestamp in milliseconds. + description: When the Agent rule was last updated, timestamp in milliseconds example: 1624366480320 format: int64 type: integer updater: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdaterAttributes' version: - description: The version of the Agent rule. + description: The version of the Agent rule example: 23 format: int64 type: integer @@ -7114,15 +7367,15 @@ components: example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on. + description: The platforms the Agent rule is supported on items: type: string type: array @@ -7130,12 +7383,21 @@ components: description: The name of the Agent rule. example: my_agent_rule type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b + type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array required: - name - expression type: object CloudWorkloadSecurityAgentRuleCreateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateAttributes' @@ -7146,7 +7408,7 @@ components: - type type: object CloudWorkloadSecurityAgentRuleCreateRequest: - description: Request object that includes the Agent rule to create. + description: Request object that includes the Agent rule to create properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateData' @@ -7154,50 +7416,50 @@ components: - data type: object CloudWorkloadSecurityAgentRuleCreatorAttributes: - description: The attributes of the user who created the Agent rule. + description: The attributes of the user who created the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRuleData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleAttributes' id: - description: The ID of the Agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string type: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleType' type: object CloudWorkloadSecurityAgentRuleID: - description: The ID of the agent rule. + description: The ID of the Agent rule example: 3dd-0uc-h1s type: string CloudWorkloadSecurityAgentRuleKill: description: Kill system call applied on the container matching the rule properties: signal: - description: Supported signals for the kill system call. + description: Supported signals for the kill system call type: string type: object CloudWorkloadSecurityAgentRuleResponse: - description: Response object that includes an Agent rule. + description: Response object that includes an Agent rule properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: object CloudWorkloadSecurityAgentRuleType: default: agent_rule - description: The type of the resource. The value should always be `agent_rule`. + description: The type of the resource, must always be `agent_rule` enum: - agent_rule example: agent_rule @@ -7205,23 +7467,32 @@ components: x-enum-varnames: - AGENT_RULE CloudWorkloadSecurityAgentRuleUpdateAttributes: - description: Update an existing Cloud Workload Security Agent rule. + description: Update an existing Cloud Workload Security Agent rule properties: description: - description: The description of the Agent rule. + description: The description of the Agent rule example: My Agent rule type: string enabled: - description: Whether the Agent rule is enabled. + description: Whether the Agent rule is enabled example: true type: boolean expression: - description: The SECL expression of the Agent rule. - example: exec.file.name == \"sh\" + description: The SECL expression of the Agent rule + example: exec.file.name == "sh" + type: string + policy_id: + description: The ID of the policy where the Agent rule is saved + example: a8c8e364-6556-434d-b798-a4c23de29c0b type: string + product_tags: + description: The list of product tags associated with the rule + items: + type: string + type: array type: object CloudWorkloadSecurityAgentRuleUpdateData: - description: Object for a single Agent rule. + description: Object for a single Agent rule properties: attributes: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateAttributes' @@ -7235,7 +7506,7 @@ components: type: object CloudWorkloadSecurityAgentRuleUpdateRequest: description: Request object that includes the Agent rule with the attributes - to update. + to update properties: data: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateData' @@ -7243,23 +7514,23 @@ components: - data type: object CloudWorkloadSecurityAgentRuleUpdaterAttributes: - description: The attributes of the user who last updated the Agent rule. + description: The attributes of the user who last updated the Agent rule properties: handle: - description: The handle of the user. + description: The handle of the user example: datadog.user@example.com type: string name: - description: The name of the user. + description: The name of the user example: Datadog User nullable: true type: string type: object CloudWorkloadSecurityAgentRulesListResponse: - description: Response object that includes a list of Agent rule. + description: Response object that includes a list of Agent rule properties: data: - description: A list of Agent rules objects. + description: A list of Agent rules objects items: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleData' type: array @@ -48792,8 +49063,10 @@ paths: x-terraform-resource: appsec_waf_exclusion_filter /api/v2/remote_config/products/cws/agent_rules: get: - description: Get the list of Cloud Security Management Threats Agent rules. + description: Get the list of Cloud Security Management Threats Agent rules operationId: ListCSMThreatsAgentRules + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -48810,14 +49083,14 @@ paths: - CSM Threats post: description: Create a new Cloud Security Management Threats Agent rule with - the given parameters. + the given parameters operationId: CreateCSMThreatsAgentRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -48840,10 +49113,11 @@ paths: x-codegen-request-body-name: body /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Cloud Security Management Threats Agent rule. + description: Delete a specific Cloud Security Management Threats Agent rule operationId: DeleteCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '204': description: OK @@ -48858,10 +49132,11 @@ paths: - CSM Threats get: description: Get the details of a specific Cloud Security Management Threats - Agent rule. + Agent rule operationId: GetCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' responses: '200': content: @@ -48885,12 +49160,13 @@ paths: operationId: UpdateCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' + - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': @@ -48913,6 +49189,54 @@ paths: tags: - CSM Threats x-codegen-request-body-name: body + /api/v2/remote_config/products/cws/policy: + get: + description: Get the list of Cloud Security Management Threats Agent policies + operationId: ListCSMThreatsAgentPolicies + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPoliciesListResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get all CSM Threats Agent policies + tags: + - CSM Threats + post: + description: Create a new Cloud Security Management Threats Agent policy with + the given parameters + operationId: CreateCSMThreatsAgentPolicy + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyCreateRequest' + description: The definition of the new Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '409': + $ref: '#/components/responses/ConflictResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Create a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/cws/policy/download: get: description: 'The download endpoint generates a CSM Threats policy file from @@ -48938,6 +49262,83 @@ paths: summary: Get the latest CSM Threats policy tags: - CSM Threats + /api/v2/remote_config/products/cws/policy/{policy_id}: + delete: + description: Delete a specific Cloud Security Management Threats Agent policy + operationId: DeleteCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '202': + description: OK + '204': + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Delete a CSM Threats Agent policy + tags: + - CSM Threats + get: + description: Get the details of a specific Cloud Security Management Threats + Agent policy + operationId: GetCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Get a CSM Threats Agent policy + tags: + - CSM Threats + patch: + description: 'Update a specific Cloud Security Management Threats Agent policy. + + Returns the Agent policy object when the request is successful.' + operationId: UpdateCSMThreatsAgentPolicy + parameters: + - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdateRequest' + description: New definition of the Agent policy + required: true + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyResponse' + description: OK + '400': + $ref: '#/components/responses/BadRequestResponse' + '403': + $ref: '#/components/responses/NotAuthorizedResponse' + '404': + $ref: '#/components/responses/NotFoundResponse' + '409': + $ref: '#/components/responses/ConcurrentModificationResponse' + '429': + $ref: '#/components/responses/TooManyRequestsResponse' + summary: Update a CSM Threats Agent policy + tags: + - CSM Threats + x-codegen-request-body-name: body /api/v2/remote_config/products/obs_pipelines/pipelines: post: description: Create a new pipeline. @@ -51843,7 +52244,7 @@ paths: - security_monitoring_notification_profiles_write /api/v2/security_monitoring/cloud_workload_security/agent_rules: get: - description: Get the list of Agent rules. + description: Get the list of Agent rules operationId: ListCloudWorkloadSecurityAgentRules responses: '200': @@ -51871,7 +52272,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule. + description: The definition of the new Agent rule required: true responses: '200': @@ -51898,7 +52299,7 @@ paths: - security_monitoring_cws_agent_rules_write /api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Agent rule. + description: Delete a specific Agent rule operationId: DeleteCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -51919,7 +52320,7 @@ paths: permissions: - security_monitoring_cws_agent_rules_write get: - description: Get the details of a specific Agent rule. + description: Get the details of a specific Agent rule operationId: GetCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -51955,7 +52356,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule. + description: New definition of the Agent rule required: true responses: '200': diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java new file mode 100644 index 00000000000..589a9e8a5ba --- /dev/null +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java @@ -0,0 +1,43 @@ +// Create a CSM Threats Agent policy returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyCreateAttributes; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyCreateData; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyCreateRequest; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyResponse; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyType; +import java.util.Collections; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + + CloudWorkloadSecurityAgentPolicyCreateRequest body = + new CloudWorkloadSecurityAgentPolicyCreateRequest() + .data( + new CloudWorkloadSecurityAgentPolicyCreateData() + .attributes( + new CloudWorkloadSecurityAgentPolicyCreateAttributes() + .description("My agent policy") + .enabled(true) + .hostTagsLists( + Collections.singletonList(Collections.singletonList("env:test"))) + .name("my_agent_policy")) + .type(CloudWorkloadSecurityAgentPolicyType.POLICY)); + + try { + CloudWorkloadSecurityAgentPolicyResponse result = + apiInstance.createCSMThreatsAgentPolicy(body); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling CsmThreatsApi#createCSMThreatsAgentPolicy"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java index 694eab569af..ffd615c8e75 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java @@ -8,13 +8,15 @@ import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType; -import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + CloudWorkloadSecurityAgentRuleCreateRequest body = new CloudWorkloadSecurityAgentRuleCreateRequest() .data( @@ -26,10 +28,8 @@ public static void main(String[] args) { .expression(""" exec.file.name == "sh" """) - .filters(Collections.singletonList(""" -os == "linux" -""")) - .name("examplecsmthreat")) + .name("examplecsmthreat") + .policyId(POLICY_DATA_ID)) .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE)); try { diff --git a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java index ac58b83a1dc..e4b576a87ba 100644 --- a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java @@ -20,7 +20,7 @@ public static void main(String[] args) { new CloudWorkloadSecurityAgentRuleCreateData() .attributes( new CloudWorkloadSecurityAgentRuleCreateAttributes() - .description("Test Agent rule") + .description("My Agent rule") .enabled(true) .expression(""" exec.file.name == "sh" diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java new file mode 100644 index 00000000000..208f9e23875 --- /dev/null +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java @@ -0,0 +1,25 @@ +// Delete a CSM Threats Agent policy returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.CsmThreatsApi; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + + try { + apiInstance.deleteCSMThreatsAgentPolicy(POLICY_DATA_ID); + } catch (ApiException e) { + System.err.println("Exception when calling CsmThreatsApi#deleteCSMThreatsAgentPolicy"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java index 09824af46fe..d071d87e064 100644 --- a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java @@ -3,6 +3,7 @@ import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.api.CsmThreatsApi.DeleteCSMThreatsAgentRuleOptionalParameters; public class Example { public static void main(String[] args) { @@ -12,8 +13,13 @@ public static void main(String[] args) { // there is a valid "agent_rule_rc" in the system String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID"); + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + try { - apiInstance.deleteCSMThreatsAgentRule(AGENT_RULE_DATA_ID); + apiInstance.deleteCSMThreatsAgentRule( + AGENT_RULE_DATA_ID, + new DeleteCSMThreatsAgentRuleOptionalParameters().policyId(POLICY_DATA_ID)); } catch (ApiException e) { System.err.println("Exception when calling CsmThreatsApi#deleteCSMThreatsAgentRule"); System.err.println("Status code: " + e.getCode()); diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java new file mode 100644 index 00000000000..a39f596c311 --- /dev/null +++ b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java @@ -0,0 +1,28 @@ +// Get a CSM Threats Agent policy returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyResponse; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + + try { + CloudWorkloadSecurityAgentPolicyResponse result = + apiInstance.getCSMThreatsAgentPolicy(POLICY_DATA_ID); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling CsmThreatsApi#getCSMThreatsAgentPolicy"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentRule.java b/examples/v2/csm-threats/GetCSMThreatsAgentRule.java index 30699e7f54e..787ce177aeb 100644 --- a/examples/v2/csm-threats/GetCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/GetCSMThreatsAgentRule.java @@ -3,6 +3,7 @@ import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.api.CsmThreatsApi.GetCSMThreatsAgentRuleOptionalParameters; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse; public class Example { @@ -13,9 +14,14 @@ public static void main(String[] args) { // there is a valid "agent_rule_rc" in the system String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID"); + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + try { CloudWorkloadSecurityAgentRuleResponse result = - apiInstance.getCSMThreatsAgentRule(AGENT_RULE_DATA_ID); + apiInstance.getCSMThreatsAgentRule( + AGENT_RULE_DATA_ID, + new GetCSMThreatsAgentRuleOptionalParameters().policyId(POLICY_DATA_ID)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling CsmThreatsApi#getCSMThreatsAgentRule"); diff --git a/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java new file mode 100644 index 00000000000..92042f1bed5 --- /dev/null +++ b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java @@ -0,0 +1,25 @@ +// Get all CSM Threats Agent policies returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPoliciesListResponse; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + + try { + CloudWorkloadSecurityAgentPoliciesListResponse result = + apiInstance.listCSMThreatsAgentPolicies(); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling CsmThreatsApi#listCSMThreatsAgentPolicies"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java new file mode 100644 index 00000000000..9a35e786348 --- /dev/null +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java @@ -0,0 +1,47 @@ +// Update a CSM Threats Agent policy returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyResponse; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyType; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyUpdateAttributes; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyUpdateData; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyUpdateRequest; +import java.util.Collections; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); + + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + + CloudWorkloadSecurityAgentPolicyUpdateRequest body = + new CloudWorkloadSecurityAgentPolicyUpdateRequest() + .data( + new CloudWorkloadSecurityAgentPolicyUpdateData() + .attributes( + new CloudWorkloadSecurityAgentPolicyUpdateAttributes() + .description("Updated agent policy") + .enabled(true) + .hostTagsLists( + Collections.singletonList(Collections.singletonList("env:test"))) + .name("updated_agent_policy")) + .id(POLICY_DATA_ID) + .type(CloudWorkloadSecurityAgentPolicyType.POLICY)); + + try { + CloudWorkloadSecurityAgentPolicyResponse result = + apiInstance.updateCSMThreatsAgentPolicy(POLICY_DATA_ID, body); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling CsmThreatsApi#updateCSMThreatsAgentPolicy"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java index ff278494363..8ec292c4643 100644 --- a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java @@ -3,6 +3,7 @@ import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.CsmThreatsApi; +import com.datadog.api.client.v2.api.CsmThreatsApi.UpdateCSMThreatsAgentRuleOptionalParameters; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateAttributes; @@ -17,23 +18,30 @@ public static void main(String[] args) { // there is a valid "agent_rule_rc" in the system String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID"); + // there is a valid "policy_rc" in the system + String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID"); + CloudWorkloadSecurityAgentRuleUpdateRequest body = new CloudWorkloadSecurityAgentRuleUpdateRequest() .data( new CloudWorkloadSecurityAgentRuleUpdateData() .attributes( new CloudWorkloadSecurityAgentRuleUpdateAttributes() - .description("Test Agent rule") + .description("My Agent rule") .enabled(true) .expression(""" exec.file.name == "sh" -""")) - .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE) - .id(AGENT_RULE_DATA_ID)); +""") + .policyId(POLICY_DATA_ID)) + .id(AGENT_RULE_DATA_ID) + .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE)); try { CloudWorkloadSecurityAgentRuleResponse result = - apiInstance.updateCSMThreatsAgentRule(AGENT_RULE_DATA_ID, body); + apiInstance.updateCSMThreatsAgentRule( + AGENT_RULE_DATA_ID, + body, + new UpdateCSMThreatsAgentRuleOptionalParameters().policyId(POLICY_DATA_ID)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling CsmThreatsApi#updateCSMThreatsAgentRule"); diff --git a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java index 517a7963934..7e2d14c13e8 100644 --- a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java @@ -23,13 +23,12 @@ public static void main(String[] args) { new CloudWorkloadSecurityAgentRuleUpdateData() .attributes( new CloudWorkloadSecurityAgentRuleUpdateAttributes() - .description("Test Agent rule") - .enabled(true) + .description("Updated Agent rule") .expression(""" exec.file.name == "sh" """)) - .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE) - .id(AGENT_RULE_DATA_ID)); + .id(AGENT_RULE_DATA_ID) + .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE)); try { CloudWorkloadSecurityAgentRuleResponse result = diff --git a/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java b/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java index 45ae8d051fd..e196f81b175 100644 --- a/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java +++ b/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java @@ -4,6 +4,10 @@ import com.datadog.api.client.ApiException; import com.datadog.api.client.ApiResponse; import com.datadog.api.client.Pair; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPoliciesListResponse; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyCreateRequest; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyResponse; +import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentPolicyUpdateRequest; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateRequest; @@ -13,6 +17,7 @@ import java.io.File; import java.util.ArrayList; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.concurrent.CompletableFuture; @@ -52,7 +57,7 @@ public void setApiClient(ApiClient apiClient) { * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -66,7 +71,7 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture @@ -81,7 +86,7 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu /** * Create a new Agent rule with the given parameters. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -137,7 +142,7 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -189,12 +194,151 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu new GenericType() {}); } + /** + * Create a CSM Threats Agent policy. + * + *

See {@link #createCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param body The definition of the new Agent policy (required) + * @return CloudWorkloadSecurityAgentPolicyResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentPolicyResponse createCSMThreatsAgentPolicy( + CloudWorkloadSecurityAgentPolicyCreateRequest body) throws ApiException { + return createCSMThreatsAgentPolicyWithHttpInfo(body).getData(); + } + + /** + * Create a CSM Threats Agent policy. + * + *

See {@link #createCSMThreatsAgentPolicyWithHttpInfoAsync}. + * + * @param body The definition of the new Agent policy (required) + * @return CompletableFuture<CloudWorkloadSecurityAgentPolicyResponse> + */ + public CompletableFuture + createCSMThreatsAgentPolicyAsync(CloudWorkloadSecurityAgentPolicyCreateRequest body) { + return createCSMThreatsAgentPolicyWithHttpInfoAsync(body) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Create a new Cloud Security Management Threats Agent policy with the given parameters + * + * @param body The definition of the new Agent policy (required) + * @return ApiResponse<CloudWorkloadSecurityAgentPolicyResponse> + * @throws ApiException if fails to make API call + * @http.response.details + * + * + * + * + * + * + * + * + *
Response details
Status Code Description Response Headers
200 OK -
400 Bad Request -
403 Not Authorized -
409 Conflict -
429 Too many requests -
+ */ + public ApiResponse + createCSMThreatsAgentPolicyWithHttpInfo(CloudWorkloadSecurityAgentPolicyCreateRequest body) + throws ApiException { + Object localVarPostBody = body; + + // verify the required parameter 'body' is set + if (body == null) { + throw new ApiException( + 400, "Missing the required parameter 'body' when calling createCSMThreatsAgentPolicy"); + } + // create path and map variables + String localVarPath = "/api/v2/remote_config/products/cws/policy"; + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.createCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + return apiClient.invokeAPI( + "POST", + builder, + localVarHeaderParams, + new String[] {"application/json"}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** + * Create a CSM Threats Agent policy. + * + *

See {@link #createCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param body The definition of the new Agent policy (required) + * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentPolicyResponse>> + */ + public CompletableFuture> + createCSMThreatsAgentPolicyWithHttpInfoAsync( + CloudWorkloadSecurityAgentPolicyCreateRequest body) { + Object localVarPostBody = body; + + // verify the required parameter 'body' is set + if (body == null) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally( + new ApiException( + 400, + "Missing the required parameter 'body' when calling createCSMThreatsAgentPolicy")); + return result; + } + // create path and map variables + String localVarPath = "/api/v2/remote_config/products/cws/policy"; + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder; + try { + builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.createCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + } catch (ApiException ex) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally(ex); + return result; + } + return apiClient.invokeAPIAsync( + "POST", + builder, + localVarHeaderParams, + new String[] {"application/json"}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + /** * Create a CSM Threats Agent rule. * *

See {@link #createCSMThreatsAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -208,7 +352,7 @@ public CloudWorkloadSecurityAgentRuleResponse createCSMThreatsAgentRule( * *

See {@link #createCSMThreatsAgentRuleWithHttpInfoAsync}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture createCSMThreatsAgentRuleAsync( @@ -221,9 +365,9 @@ public CompletableFuture createCSMThreat } /** - * Create a new Cloud Security Management Threats Agent rule with the given parameters. + * Create a new Cloud Security Management Threats Agent rule with the given parameters * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -276,7 +420,7 @@ public ApiResponse createCSMThreatsAgent * *

See {@link #createCSMThreatsAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule. (required) + * @param body The definition of the new Agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -330,7 +474,7 @@ public ApiResponse createCSMThreatsAgent * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @throws ApiException if fails to make API call */ public void deleteCloudWorkloadSecurityAgentRule(String agentRuleId) throws ApiException { @@ -342,7 +486,7 @@ public void deleteCloudWorkloadSecurityAgentRule(String agentRuleId) throws ApiE * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CompletableFuture */ public CompletableFuture deleteCloudWorkloadSecurityAgentRuleAsync(String agentRuleId) { @@ -354,9 +498,9 @@ public CompletableFuture deleteCloudWorkloadSecurityAgentRuleAsync(String } /** - * Delete a specific Agent rule. + * Delete a specific Agent rule * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return ApiResponse<Void> * @throws ApiException if fails to make API call * @http.response.details @@ -413,7 +557,7 @@ public ApiResponse deleteCloudWorkloadSecurityAgentRuleWithHttpInfo(String * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CompletableFuture<ApiResponse<Void>> */ public CompletableFuture> deleteCloudWorkloadSecurityAgentRuleWithHttpInfoAsync( @@ -465,16 +609,171 @@ public CompletableFuture> deleteCloudWorkloadSecurityAgentRule null); } + /** + * Delete a CSM Threats Agent policy. + * + *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param policyId The ID of the Agent policy (required) + * @throws ApiException if fails to make API call + */ + public void deleteCSMThreatsAgentPolicy(String policyId) throws ApiException { + deleteCSMThreatsAgentPolicyWithHttpInfo(policyId); + } + + /** + * Delete a CSM Threats Agent policy. + * + *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfoAsync}. + * + * @param policyId The ID of the Agent policy (required) + * @return CompletableFuture + */ + public CompletableFuture deleteCSMThreatsAgentPolicyAsync(String policyId) { + return deleteCSMThreatsAgentPolicyWithHttpInfoAsync(policyId) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Delete a specific Cloud Security Management Threats Agent policy + * + * @param policyId The ID of the Agent policy (required) + * @return ApiResponse<Void> + * @throws ApiException if fails to make API call + * @http.response.details + * + * + * + * + * + * + * + * + *
Response details
Status Code Description Response Headers
202 OK -
204 OK -
403 Not Authorized -
404 Not Found -
429 Too many requests -
+ */ + public ApiResponse deleteCSMThreatsAgentPolicyWithHttpInfo(String policyId) + throws ApiException { + Object localVarPostBody = null; + + // verify the required parameter 'policyId' is set + if (policyId == null) { + throw new ApiException( + 400, + "Missing the required parameter 'policyId' when calling deleteCSMThreatsAgentPolicy"); + } + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.deleteCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"*/*"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + return apiClient.invokeAPI( + "DELETE", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + null); + } + + /** + * Delete a CSM Threats Agent policy. + * + *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param policyId The ID of the Agent policy (required) + * @return CompletableFuture<ApiResponse<Void>> + */ + public CompletableFuture> deleteCSMThreatsAgentPolicyWithHttpInfoAsync( + String policyId) { + Object localVarPostBody = null; + + // verify the required parameter 'policyId' is set + if (policyId == null) { + CompletableFuture> result = new CompletableFuture<>(); + result.completeExceptionally( + new ApiException( + 400, + "Missing the required parameter 'policyId' when calling" + + " deleteCSMThreatsAgentPolicy")); + return result; + } + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder; + try { + builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.deleteCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"*/*"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + } catch (ApiException ex) { + CompletableFuture> result = new CompletableFuture<>(); + result.completeExceptionally(ex); + return result; + } + return apiClient.invokeAPIAsync( + "DELETE", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + null); + } + + /** Manage optional parameters to deleteCSMThreatsAgentRule. */ + public static class DeleteCSMThreatsAgentRuleOptionalParameters { + private String policyId; + + /** + * Set policyId. + * + * @param policyId The ID of the Agent policy (optional) + * @return DeleteCSMThreatsAgentRuleOptionalParameters + */ + public DeleteCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { + this.policyId = policyId; + return this; + } + } + /** * Delete a CSM Threats Agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @throws ApiException if fails to make API call */ public void deleteCSMThreatsAgentRule(String agentRuleId) throws ApiException { - deleteCSMThreatsAgentRuleWithHttpInfo(agentRuleId); + deleteCSMThreatsAgentRuleWithHttpInfo( + agentRuleId, new DeleteCSMThreatsAgentRuleOptionalParameters()); } /** @@ -482,11 +781,45 @@ public void deleteCSMThreatsAgentRule(String agentRuleId) throws ApiException { * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CompletableFuture */ public CompletableFuture deleteCSMThreatsAgentRuleAsync(String agentRuleId) { - return deleteCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId) + return deleteCSMThreatsAgentRuleWithHttpInfoAsync( + agentRuleId, new DeleteCSMThreatsAgentRuleOptionalParameters()) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Delete a CSM Threats Agent rule. + * + *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @throws ApiException if fails to make API call + */ + public void deleteCSMThreatsAgentRule( + String agentRuleId, DeleteCSMThreatsAgentRuleOptionalParameters parameters) + throws ApiException { + deleteCSMThreatsAgentRuleWithHttpInfo(agentRuleId, parameters); + } + + /** + * Delete a CSM Threats Agent rule. + * + *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfoAsync}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return CompletableFuture + */ + public CompletableFuture deleteCSMThreatsAgentRuleAsync( + String agentRuleId, DeleteCSMThreatsAgentRuleOptionalParameters parameters) { + return deleteCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId, parameters) .thenApply( response -> { return response.getData(); @@ -494,9 +827,10 @@ public CompletableFuture deleteCSMThreatsAgentRuleAsync(String agentRuleId } /** - * Delete a specific Cloud Security Management Threats Agent rule. + * Delete a specific Cloud Security Management Threats Agent rule * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. * @return ApiResponse<Void> * @throws ApiException if fails to make API call * @http.response.details @@ -509,7 +843,8 @@ public CompletableFuture deleteCSMThreatsAgentRuleAsync(String agentRuleId * 429 Too many requests - * */ - public ApiResponse deleteCSMThreatsAgentRuleWithHttpInfo(String agentRuleId) + public ApiResponse deleteCSMThreatsAgentRuleWithHttpInfo( + String agentRuleId, DeleteCSMThreatsAgentRuleOptionalParameters parameters) throws ApiException { Object localVarPostBody = null; @@ -519,19 +854,23 @@ public ApiResponse deleteCSMThreatsAgentRuleWithHttpInfo(String agentRuleI 400, "Missing the required parameter 'agentRuleId' when calling deleteCSMThreatsAgentRule"); } + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder = apiClient.createBuilder( "v2.CsmThreatsApi.deleteCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"*/*"}, @@ -552,11 +891,12 @@ public ApiResponse deleteCSMThreatsAgentRuleWithHttpInfo(String agentRuleI * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. * @return CompletableFuture<ApiResponse<Void>> */ public CompletableFuture> deleteCSMThreatsAgentRuleWithHttpInfoAsync( - String agentRuleId) { + String agentRuleId, DeleteCSMThreatsAgentRuleOptionalParameters parameters) { Object localVarPostBody = null; // verify the required parameter 'agentRuleId' is set @@ -569,21 +909,25 @@ public CompletableFuture> deleteCSMThreatsAgentRuleWithHttpInf + " deleteCSMThreatsAgentRule")); return result; } + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder; try { builder = apiClient.createBuilder( "v2.CsmThreatsApi.deleteCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"*/*"}, @@ -831,7 +1175,7 @@ public CompletableFuture> downloadCSMThreatsPolicyWithHttpInfo * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -845,7 +1189,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture @@ -858,9 +1202,9 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get the details of a specific Agent rule. + * Get the details of a specific Agent rule * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -917,7 +1261,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -972,30 +1316,30 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get a CSM Threats Agent rule. + * Get a CSM Threats Agent policy. * - *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. + *

See {@link #getCSMThreatsAgentPolicyWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @return CloudWorkloadSecurityAgentRuleResponse + * @param policyId The ID of the Agent policy (required) + * @return CloudWorkloadSecurityAgentPolicyResponse * @throws ApiException if fails to make API call */ - public CloudWorkloadSecurityAgentRuleResponse getCSMThreatsAgentRule(String agentRuleId) + public CloudWorkloadSecurityAgentPolicyResponse getCSMThreatsAgentPolicy(String policyId) throws ApiException { - return getCSMThreatsAgentRuleWithHttpInfo(agentRuleId).getData(); + return getCSMThreatsAgentPolicyWithHttpInfo(policyId).getData(); } /** - * Get a CSM Threats Agent rule. + * Get a CSM Threats Agent policy. * - *

See {@link #getCSMThreatsAgentRuleWithHttpInfoAsync}. + *

See {@link #getCSMThreatsAgentPolicyWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> + * @param policyId The ID of the Agent policy (required) + * @return CompletableFuture<CloudWorkloadSecurityAgentPolicyResponse> */ - public CompletableFuture getCSMThreatsAgentRuleAsync( - String agentRuleId) { - return getCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId) + public CompletableFuture getCSMThreatsAgentPolicyAsync( + String policyId) { + return getCSMThreatsAgentPolicyWithHttpInfoAsync(policyId) .thenApply( response -> { return response.getData(); @@ -1003,10 +1347,10 @@ public CompletableFuture getCSMThreatsAg } /** - * Get the details of a specific Cloud Security Management Threats Agent rule. + * Get the details of a specific Cloud Security Management Threats Agent policy * - * @param agentRuleId The ID of the Agent rule. (required) - * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> + * @param policyId The ID of the Agent policy (required) + * @return ApiResponse<CloudWorkloadSecurityAgentPolicyResponse> * @throws ApiException if fails to make API call * @http.response.details * @@ -1018,28 +1362,225 @@ public CompletableFuture getCSMThreatsAg * *
429 Too many requests -
*/ - public ApiResponse getCSMThreatsAgentRuleWithHttpInfo( - String agentRuleId) throws ApiException { + public ApiResponse getCSMThreatsAgentPolicyWithHttpInfo( + String policyId) throws ApiException { Object localVarPostBody = null; - // verify the required parameter 'agentRuleId' is set - if (agentRuleId == null) { + // verify the required parameter 'policyId' is set + if (policyId == null) { throw new ApiException( - 400, "Missing the required parameter 'agentRuleId' when calling getCSMThreatsAgentRule"); + 400, "Missing the required parameter 'policyId' when calling getCSMThreatsAgentPolicy"); } // create path and map variables String localVarPath = - "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.getCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + return apiClient.invokeAPI( + "GET", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** + * Get a CSM Threats Agent policy. + * + *

See {@link #getCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param policyId The ID of the Agent policy (required) + * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentPolicyResponse>> + */ + public CompletableFuture> + getCSMThreatsAgentPolicyWithHttpInfoAsync(String policyId) { + Object localVarPostBody = null; + + // verify the required parameter 'policyId' is set + if (policyId == null) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally( + new ApiException( + 400, + "Missing the required parameter 'policyId' when calling getCSMThreatsAgentPolicy")); + return result; + } + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder; + try { + builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.getCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + } catch (ApiException ex) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally(ex); + return result; + } + return apiClient.invokeAPIAsync( + "GET", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** Manage optional parameters to getCSMThreatsAgentRule. */ + public static class GetCSMThreatsAgentRuleOptionalParameters { + private String policyId; + + /** + * Set policyId. + * + * @param policyId The ID of the Agent policy (optional) + * @return GetCSMThreatsAgentRuleOptionalParameters + */ + public GetCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { + this.policyId = policyId; + return this; + } + } + + /** + * Get a CSM Threats Agent rule. + * + *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @return CloudWorkloadSecurityAgentRuleResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentRuleResponse getCSMThreatsAgentRule(String agentRuleId) + throws ApiException { + return getCSMThreatsAgentRuleWithHttpInfo( + agentRuleId, new GetCSMThreatsAgentRuleOptionalParameters()) + .getData(); + } + + /** + * Get a CSM Threats Agent rule. + * + *

See {@link #getCSMThreatsAgentRuleWithHttpInfoAsync}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> + */ + public CompletableFuture getCSMThreatsAgentRuleAsync( + String agentRuleId) { + return getCSMThreatsAgentRuleWithHttpInfoAsync( + agentRuleId, new GetCSMThreatsAgentRuleOptionalParameters()) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Get a CSM Threats Agent rule. + * + *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return CloudWorkloadSecurityAgentRuleResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentRuleResponse getCSMThreatsAgentRule( + String agentRuleId, GetCSMThreatsAgentRuleOptionalParameters parameters) throws ApiException { + return getCSMThreatsAgentRuleWithHttpInfo(agentRuleId, parameters).getData(); + } + + /** + * Get a CSM Threats Agent rule. + * + *

See {@link #getCSMThreatsAgentRuleWithHttpInfoAsync}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> + */ + public CompletableFuture getCSMThreatsAgentRuleAsync( + String agentRuleId, GetCSMThreatsAgentRuleOptionalParameters parameters) { + return getCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId, parameters) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Get the details of a specific Cloud Security Management Threats Agent rule + * + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> + * @throws ApiException if fails to make API call + * @http.response.details + * + * + * + * + * + * + * + *
Response details
Status Code Description Response Headers
200 OK -
403 Not Authorized -
404 Not Found -
429 Too many requests -
+ */ + public ApiResponse getCSMThreatsAgentRuleWithHttpInfo( + String agentRuleId, GetCSMThreatsAgentRuleOptionalParameters parameters) throws ApiException { + Object localVarPostBody = null; + + // verify the required parameter 'agentRuleId' is set + if (agentRuleId == null) { + throw new ApiException( + 400, "Missing the required parameter 'agentRuleId' when calling getCSMThreatsAgentRule"); + } + String policyId = parameters.policyId; + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder = apiClient.createBuilder( "v2.CsmThreatsApi.getCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, @@ -1060,11 +1601,13 @@ public ApiResponse getCSMThreatsAgentRul * *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param parameters Optional parameters for the request. * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> - getCSMThreatsAgentRuleWithHttpInfoAsync(String agentRuleId) { + getCSMThreatsAgentRuleWithHttpInfoAsync( + String agentRuleId, GetCSMThreatsAgentRuleOptionalParameters parameters) { Object localVarPostBody = null; // verify the required parameter 'agentRuleId' is set @@ -1077,21 +1620,25 @@ public ApiResponse getCSMThreatsAgentRul "Missing the required parameter 'agentRuleId' when calling getCSMThreatsAgentRule")); return result; } + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder; try { builder = apiClient.createBuilder( "v2.CsmThreatsApi.getCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, @@ -1143,7 +1690,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen } /** - * Get the list of Agent rules. + * Get the list of Agent rules * * @return ApiResponse<CloudWorkloadSecurityAgentRulesListResponse> * @throws ApiException if fails to make API call @@ -1227,6 +1774,137 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen new GenericType() {}); } + /** + * Get all CSM Threats Agent policies. + * + *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfo}. + * + * @return CloudWorkloadSecurityAgentPoliciesListResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentPoliciesListResponse listCSMThreatsAgentPolicies() + throws ApiException { + return listCSMThreatsAgentPoliciesWithHttpInfo().getData(); + } + + /** + * Get all CSM Threats Agent policies. + * + *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfoAsync}. + * + * @return CompletableFuture<CloudWorkloadSecurityAgentPoliciesListResponse> + */ + public CompletableFuture + listCSMThreatsAgentPoliciesAsync() { + return listCSMThreatsAgentPoliciesWithHttpInfoAsync() + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Get the list of Cloud Security Management Threats Agent policies + * + * @return ApiResponse<CloudWorkloadSecurityAgentPoliciesListResponse> + * @throws ApiException if fails to make API call + * @http.response.details + * + * + * + * + * + * + *
Response details
Status Code Description Response Headers
200 OK -
403 Not Authorized -
429 Too many requests -
+ */ + public ApiResponse + listCSMThreatsAgentPoliciesWithHttpInfo() throws ApiException { + Object localVarPostBody = null; + // create path and map variables + String localVarPath = "/api/v2/remote_config/products/cws/policy"; + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.listCSMThreatsAgentPolicies", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + return apiClient.invokeAPI( + "GET", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** + * Get all CSM Threats Agent policies. + * + *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfo}. + * + * @return + * CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentPoliciesListResponse>> + */ + public CompletableFuture> + listCSMThreatsAgentPoliciesWithHttpInfoAsync() { + Object localVarPostBody = null; + // create path and map variables + String localVarPath = "/api/v2/remote_config/products/cws/policy"; + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder; + try { + builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.listCSMThreatsAgentPolicies", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + } catch (ApiException ex) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally(ex); + return result; + } + return apiClient.invokeAPIAsync( + "GET", + builder, + localVarHeaderParams, + new String[] {}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** Manage optional parameters to listCSMThreatsAgentRules. */ + public static class ListCSMThreatsAgentRulesOptionalParameters { + private String policyId; + + /** + * Set policyId. + * + * @param policyId The ID of the Agent policy (optional) + * @return ListCSMThreatsAgentRulesOptionalParameters + */ + public ListCSMThreatsAgentRulesOptionalParameters policyId(String policyId) { + this.policyId = policyId; + return this; + } + } + /** * Get all CSM Threats Agent rules. * @@ -1237,7 +1915,8 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen */ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() throws ApiException { - return listCSMThreatsAgentRulesWithHttpInfo().getData(); + return listCSMThreatsAgentRulesWithHttpInfo(new ListCSMThreatsAgentRulesOptionalParameters()) + .getData(); } /** @@ -1249,7 +1928,39 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() */ public CompletableFuture listCSMThreatsAgentRulesAsync() { - return listCSMThreatsAgentRulesWithHttpInfoAsync() + return listCSMThreatsAgentRulesWithHttpInfoAsync( + new ListCSMThreatsAgentRulesOptionalParameters()) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Get all CSM Threats Agent rules. + * + *

See {@link #listCSMThreatsAgentRulesWithHttpInfo}. + * + * @param parameters Optional parameters for the request. + * @return CloudWorkloadSecurityAgentRulesListResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules( + ListCSMThreatsAgentRulesOptionalParameters parameters) throws ApiException { + return listCSMThreatsAgentRulesWithHttpInfo(parameters).getData(); + } + + /** + * Get all CSM Threats Agent rules. + * + *

See {@link #listCSMThreatsAgentRulesWithHttpInfoAsync}. + * + * @param parameters Optional parameters for the request. + * @return CompletableFuture<CloudWorkloadSecurityAgentRulesListResponse> + */ + public CompletableFuture + listCSMThreatsAgentRulesAsync(ListCSMThreatsAgentRulesOptionalParameters parameters) { + return listCSMThreatsAgentRulesWithHttpInfoAsync(parameters) .thenApply( response -> { return response.getData(); @@ -1257,8 +1968,9 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() } /** - * Get the list of Cloud Security Management Threats Agent rules. + * Get the list of Cloud Security Management Threats Agent rules * + * @param parameters Optional parameters for the request. * @return ApiResponse<CloudWorkloadSecurityAgentRulesListResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -1271,18 +1983,23 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() * */ public ApiResponse - listCSMThreatsAgentRulesWithHttpInfo() throws ApiException { + listCSMThreatsAgentRulesWithHttpInfo(ListCSMThreatsAgentRulesOptionalParameters parameters) + throws ApiException { Object localVarPostBody = null; + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules"; + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder = apiClient.createBuilder( "v2.CsmThreatsApi.listCSMThreatsAgentRules", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, @@ -1303,23 +2020,29 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() * *

See {@link #listCSMThreatsAgentRulesWithHttpInfo}. * + * @param parameters Optional parameters for the request. * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRulesListResponse>> */ public CompletableFuture> - listCSMThreatsAgentRulesWithHttpInfoAsync() { + listCSMThreatsAgentRulesWithHttpInfoAsync( + ListCSMThreatsAgentRulesOptionalParameters parameters) { Object localVarPostBody = null; + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules"; + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder; try { builder = apiClient.createBuilder( "v2.CsmThreatsApi.listCSMThreatsAgentRules", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, @@ -1346,8 +2069,8 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -1361,8 +2084,8 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture @@ -1378,8 +2101,8 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu /** * Update a specific Agent rule. Returns the Agent rule object when the request is successful. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -1448,8 +2171,8 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -1516,19 +2239,206 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu new GenericType() {}); } + /** + * Update a CSM Threats Agent policy. + * + *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param policyId The ID of the Agent policy (required) + * @param body New definition of the Agent policy (required) + * @return CloudWorkloadSecurityAgentPolicyResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentPolicyResponse updateCSMThreatsAgentPolicy( + String policyId, CloudWorkloadSecurityAgentPolicyUpdateRequest body) throws ApiException { + return updateCSMThreatsAgentPolicyWithHttpInfo(policyId, body).getData(); + } + + /** + * Update a CSM Threats Agent policy. + * + *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfoAsync}. + * + * @param policyId The ID of the Agent policy (required) + * @param body New definition of the Agent policy (required) + * @return CompletableFuture<CloudWorkloadSecurityAgentPolicyResponse> + */ + public CompletableFuture + updateCSMThreatsAgentPolicyAsync( + String policyId, CloudWorkloadSecurityAgentPolicyUpdateRequest body) { + return updateCSMThreatsAgentPolicyWithHttpInfoAsync(policyId, body) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Update a specific Cloud Security Management Threats Agent policy. Returns the Agent policy + * object when the request is successful. + * + * @param policyId The ID of the Agent policy (required) + * @param body New definition of the Agent policy (required) + * @return ApiResponse<CloudWorkloadSecurityAgentPolicyResponse> + * @throws ApiException if fails to make API call + * @http.response.details + * + * + * + * + * + * + * + * + * + *
Response details
Status Code Description Response Headers
200 OK -
400 Bad Request -
403 Not Authorized -
404 Not Found -
409 Concurrent Modification -
429 Too many requests -
+ */ + public ApiResponse + updateCSMThreatsAgentPolicyWithHttpInfo( + String policyId, CloudWorkloadSecurityAgentPolicyUpdateRequest body) throws ApiException { + Object localVarPostBody = body; + + // verify the required parameter 'policyId' is set + if (policyId == null) { + throw new ApiException( + 400, + "Missing the required parameter 'policyId' when calling updateCSMThreatsAgentPolicy"); + } + + // verify the required parameter 'body' is set + if (body == null) { + throw new ApiException( + 400, "Missing the required parameter 'body' when calling updateCSMThreatsAgentPolicy"); + } + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.updateCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + return apiClient.invokeAPI( + "PATCH", + builder, + localVarHeaderParams, + new String[] {"application/json"}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** + * Update a CSM Threats Agent policy. + * + *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfo}. + * + * @param policyId The ID of the Agent policy (required) + * @param body New definition of the Agent policy (required) + * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentPolicyResponse>> + */ + public CompletableFuture> + updateCSMThreatsAgentPolicyWithHttpInfoAsync( + String policyId, CloudWorkloadSecurityAgentPolicyUpdateRequest body) { + Object localVarPostBody = body; + + // verify the required parameter 'policyId' is set + if (policyId == null) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally( + new ApiException( + 400, + "Missing the required parameter 'policyId' when calling" + + " updateCSMThreatsAgentPolicy")); + return result; + } + + // verify the required parameter 'body' is set + if (body == null) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally( + new ApiException( + 400, + "Missing the required parameter 'body' when calling updateCSMThreatsAgentPolicy")); + return result; + } + // create path and map variables + String localVarPath = + "/api/v2/remote_config/products/cws/policy/{policy_id}" + .replaceAll("\\{" + "policy_id" + "\\}", apiClient.escapeString(policyId.toString())); + + Map localVarHeaderParams = new HashMap(); + + Invocation.Builder builder; + try { + builder = + apiClient.createBuilder( + "v2.CsmThreatsApi.updateCSMThreatsAgentPolicy", + localVarPath, + new ArrayList(), + localVarHeaderParams, + new HashMap(), + new String[] {"application/json"}, + new String[] {"apiKeyAuth", "appKeyAuth"}); + } catch (ApiException ex) { + CompletableFuture> result = + new CompletableFuture<>(); + result.completeExceptionally(ex); + return result; + } + return apiClient.invokeAPIAsync( + "PATCH", + builder, + localVarHeaderParams, + new String[] {"application/json"}, + localVarPostBody, + new HashMap(), + false, + new GenericType() {}); + } + + /** Manage optional parameters to updateCSMThreatsAgentRule. */ + public static class UpdateCSMThreatsAgentRuleOptionalParameters { + private String policyId; + + /** + * Set policyId. + * + * @param policyId The ID of the Agent policy (optional) + * @return UpdateCSMThreatsAgentRuleOptionalParameters + */ + public UpdateCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { + this.policyId = policyId; + return this; + } + } + /** * Update a CSM Threats Agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ public CloudWorkloadSecurityAgentRuleResponse updateCSMThreatsAgentRule( String agentRuleId, CloudWorkloadSecurityAgentRuleUpdateRequest body) throws ApiException { - return updateCSMThreatsAgentRuleWithHttpInfo(agentRuleId, body).getData(); + return updateCSMThreatsAgentRuleWithHttpInfo( + agentRuleId, body, new UpdateCSMThreatsAgentRuleOptionalParameters()) + .getData(); } /** @@ -1536,13 +2446,54 @@ public CloudWorkloadSecurityAgentRuleResponse updateCSMThreatsAgentRule( * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfoAsync}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture updateCSMThreatsAgentRuleAsync( String agentRuleId, CloudWorkloadSecurityAgentRuleUpdateRequest body) { - return updateCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId, body) + return updateCSMThreatsAgentRuleWithHttpInfoAsync( + agentRuleId, body, new UpdateCSMThreatsAgentRuleOptionalParameters()) + .thenApply( + response -> { + return response.getData(); + }); + } + + /** + * Update a CSM Threats Agent rule. + * + *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return CloudWorkloadSecurityAgentRuleResponse + * @throws ApiException if fails to make API call + */ + public CloudWorkloadSecurityAgentRuleResponse updateCSMThreatsAgentRule( + String agentRuleId, + CloudWorkloadSecurityAgentRuleUpdateRequest body, + UpdateCSMThreatsAgentRuleOptionalParameters parameters) + throws ApiException { + return updateCSMThreatsAgentRuleWithHttpInfo(agentRuleId, body, parameters).getData(); + } + + /** + * Update a CSM Threats Agent rule. + * + *

See {@link #updateCSMThreatsAgentRuleWithHttpInfoAsync}. + * + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) + * @param parameters Optional parameters for the request. + * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> + */ + public CompletableFuture updateCSMThreatsAgentRuleAsync( + String agentRuleId, + CloudWorkloadSecurityAgentRuleUpdateRequest body, + UpdateCSMThreatsAgentRuleOptionalParameters parameters) { + return updateCSMThreatsAgentRuleWithHttpInfoAsync(agentRuleId, body, parameters) .thenApply( response -> { return response.getData(); @@ -1553,8 +2504,9 @@ public CompletableFuture updateCSMThreat * Update a specific Cloud Security Management Threats Agent rule. Returns the Agent rule object * when the request is successful. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) + * @param parameters Optional parameters for the request. * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -1570,7 +2522,10 @@ public CompletableFuture updateCSMThreat * */ public ApiResponse updateCSMThreatsAgentRuleWithHttpInfo( - String agentRuleId, CloudWorkloadSecurityAgentRuleUpdateRequest body) throws ApiException { + String agentRuleId, + CloudWorkloadSecurityAgentRuleUpdateRequest body, + UpdateCSMThreatsAgentRuleOptionalParameters parameters) + throws ApiException { Object localVarPostBody = body; // verify the required parameter 'agentRuleId' is set @@ -1585,19 +2540,23 @@ public ApiResponse updateCSMThreatsAgent throw new ApiException( 400, "Missing the required parameter 'body' when calling updateCSMThreatsAgentRule"); } + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder = apiClient.createBuilder( "v2.CsmThreatsApi.updateCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, @@ -1618,13 +2577,16 @@ public ApiResponse updateCSMThreatsAgent * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. * - * @param agentRuleId The ID of the Agent rule. (required) - * @param body New definition of the Agent rule. (required) + * @param agentRuleId The ID of the Agent rule (required) + * @param body New definition of the Agent rule (required) + * @param parameters Optional parameters for the request. * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> updateCSMThreatsAgentRuleWithHttpInfoAsync( - String agentRuleId, CloudWorkloadSecurityAgentRuleUpdateRequest body) { + String agentRuleId, + CloudWorkloadSecurityAgentRuleUpdateRequest body, + UpdateCSMThreatsAgentRuleOptionalParameters parameters) { Object localVarPostBody = body; // verify the required parameter 'agentRuleId' is set @@ -1648,21 +2610,25 @@ public ApiResponse updateCSMThreatsAgent 400, "Missing the required parameter 'body' when calling updateCSMThreatsAgentRule")); return result; } + String policyId = parameters.policyId; // create path and map variables String localVarPath = "/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}" .replaceAll( "\\{" + "agent_rule_id" + "\\}", apiClient.escapeString(agentRuleId.toString())); + List localVarQueryParams = new ArrayList(); Map localVarHeaderParams = new HashMap(); + localVarQueryParams.addAll(apiClient.parameterToPairs("", "policy_id", policyId)); + Invocation.Builder builder; try { builder = apiClient.createBuilder( "v2.CsmThreatsApi.updateCSMThreatsAgentRule", localVarPath, - new ArrayList(), + localVarQueryParams, localVarHeaderParams, new HashMap(), new String[] {"application/json"}, diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPoliciesListResponse.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPoliciesListResponse.java new file mode 100644 index 00000000000..f45ad383361 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPoliciesListResponse.java @@ -0,0 +1,155 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** Response object that includes a list of Agent policies */ +@JsonPropertyOrder({CloudWorkloadSecurityAgentPoliciesListResponse.JSON_PROPERTY_DATA}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPoliciesListResponse { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DATA = "data"; + private List data = null; + + public CloudWorkloadSecurityAgentPoliciesListResponse data( + List data) { + this.data = data; + for (CloudWorkloadSecurityAgentPolicyData item : data) { + this.unparsed |= item.unparsed; + } + return this; + } + + public CloudWorkloadSecurityAgentPoliciesListResponse addDataItem( + CloudWorkloadSecurityAgentPolicyData dataItem) { + if (this.data == null) { + this.data = new ArrayList<>(); + } + this.data.add(dataItem); + this.unparsed |= dataItem.unparsed; + return this; + } + + /** + * A list of Agent policy objects + * + * @return data + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DATA) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getData() { + return data; + } + + public void setData(List data) { + this.data = data; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPoliciesListResponse + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPoliciesListResponse putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPoliciesListResponse object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPoliciesListResponse cloudWorkloadSecurityAgentPoliciesListResponse = + (CloudWorkloadSecurityAgentPoliciesListResponse) o; + return Objects.equals(this.data, cloudWorkloadSecurityAgentPoliciesListResponse.data) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPoliciesListResponse.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(data, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPoliciesListResponse {\n"); + sb.append(" data: ").append(toIndentedString(data)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyAttributes.java new file mode 100644 index 00000000000..6ec7e528c76 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyAttributes.java @@ -0,0 +1,568 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** A Cloud Workload Security Agent policy returned by the API */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_BLOCKING_RULES_COUNT, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_DATADOG_MANAGED, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_DESCRIPTION, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_DISABLED_RULES_COUNT, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_ENABLED, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_HOST_TAGS, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_HOST_TAGS_LISTS, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_MONITORING_RULES_COUNT, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_NAME, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_POLICY_VERSION, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_PRIORITY, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_RULE_COUNT, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_UPDATE_DATE, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_UPDATED_AT, + CloudWorkloadSecurityAgentPolicyAttributes.JSON_PROPERTY_UPDATER +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyAttributes { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_BLOCKING_RULES_COUNT = "blockingRulesCount"; + private Integer blockingRulesCount; + + public static final String JSON_PROPERTY_DATADOG_MANAGED = "datadogManaged"; + private Boolean datadogManaged; + + public static final String JSON_PROPERTY_DESCRIPTION = "description"; + private String description; + + public static final String JSON_PROPERTY_DISABLED_RULES_COUNT = "disabledRulesCount"; + private Integer disabledRulesCount; + + public static final String JSON_PROPERTY_ENABLED = "enabled"; + private Boolean enabled; + + public static final String JSON_PROPERTY_HOST_TAGS = "hostTags"; + private List hostTags = null; + + public static final String JSON_PROPERTY_HOST_TAGS_LISTS = "hostTagsLists"; + private List> hostTagsLists = null; + + public static final String JSON_PROPERTY_MONITORING_RULES_COUNT = "monitoringRulesCount"; + private Integer monitoringRulesCount; + + public static final String JSON_PROPERTY_NAME = "name"; + private String name; + + public static final String JSON_PROPERTY_POLICY_VERSION = "policyVersion"; + private String policyVersion; + + public static final String JSON_PROPERTY_PRIORITY = "priority"; + private Long priority; + + public static final String JSON_PROPERTY_RULE_COUNT = "ruleCount"; + private Integer ruleCount; + + public static final String JSON_PROPERTY_UPDATE_DATE = "updateDate"; + private Long updateDate; + + public static final String JSON_PROPERTY_UPDATED_AT = "updatedAt"; + private Long updatedAt; + + public static final String JSON_PROPERTY_UPDATER = "updater"; + private CloudWorkloadSecurityAgentPolicyUpdaterAttributes updater; + + public CloudWorkloadSecurityAgentPolicyAttributes blockingRulesCount(Integer blockingRulesCount) { + this.blockingRulesCount = blockingRulesCount; + return this; + } + + /** + * The number of rules with the blocking feature in this policy maximum: 2147483647 + * + * @return blockingRulesCount + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_BLOCKING_RULES_COUNT) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Integer getBlockingRulesCount() { + return blockingRulesCount; + } + + public void setBlockingRulesCount(Integer blockingRulesCount) { + this.blockingRulesCount = blockingRulesCount; + } + + public CloudWorkloadSecurityAgentPolicyAttributes datadogManaged(Boolean datadogManaged) { + this.datadogManaged = datadogManaged; + return this; + } + + /** + * Whether the policy is managed by Datadog + * + * @return datadogManaged + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DATADOG_MANAGED) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Boolean getDatadogManaged() { + return datadogManaged; + } + + public void setDatadogManaged(Boolean datadogManaged) { + this.datadogManaged = datadogManaged; + } + + public CloudWorkloadSecurityAgentPolicyAttributes description(String description) { + this.description = description; + return this; + } + + /** + * The description of the policy + * + * @return description + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DESCRIPTION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getDescription() { + return description; + } + + public void setDescription(String description) { + this.description = description; + } + + public CloudWorkloadSecurityAgentPolicyAttributes disabledRulesCount(Integer disabledRulesCount) { + this.disabledRulesCount = disabledRulesCount; + return this; + } + + /** + * The number of rules that are disabled in this policy maximum: 2147483647 + * + * @return disabledRulesCount + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DISABLED_RULES_COUNT) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Integer getDisabledRulesCount() { + return disabledRulesCount; + } + + public void setDisabledRulesCount(Integer disabledRulesCount) { + this.disabledRulesCount = disabledRulesCount; + } + + public CloudWorkloadSecurityAgentPolicyAttributes enabled(Boolean enabled) { + this.enabled = enabled; + return this; + } + + /** + * Whether the Agent policy is enabled + * + * @return enabled + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ENABLED) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Boolean getEnabled() { + return enabled; + } + + public void setEnabled(Boolean enabled) { + this.enabled = enabled; + } + + public CloudWorkloadSecurityAgentPolicyAttributes hostTags(List hostTags) { + this.hostTags = hostTags; + return this; + } + + public CloudWorkloadSecurityAgentPolicyAttributes addHostTagsItem(String hostTagsItem) { + if (this.hostTags == null) { + this.hostTags = new ArrayList<>(); + } + this.hostTags.add(hostTagsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed + * + * @return hostTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getHostTags() { + return hostTags; + } + + public void setHostTags(List hostTags) { + this.hostTags = hostTags; + } + + public CloudWorkloadSecurityAgentPolicyAttributes hostTagsLists( + List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + return this; + } + + public CloudWorkloadSecurityAgentPolicyAttributes addHostTagsListsItem( + List hostTagsListsItem) { + if (this.hostTagsLists == null) { + this.hostTagsLists = new ArrayList<>(); + } + this.hostTagsLists.add(hostTagsListsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the + * outer values are linked with OR + * + * @return hostTagsLists + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS_LISTS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List> getHostTagsLists() { + return hostTagsLists; + } + + public void setHostTagsLists(List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + } + + public CloudWorkloadSecurityAgentPolicyAttributes monitoringRulesCount( + Integer monitoringRulesCount) { + this.monitoringRulesCount = monitoringRulesCount; + return this; + } + + /** + * The number of rules in the monitoring state in this policy maximum: 2147483647 + * + * @return monitoringRulesCount + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_MONITORING_RULES_COUNT) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Integer getMonitoringRulesCount() { + return monitoringRulesCount; + } + + public void setMonitoringRulesCount(Integer monitoringRulesCount) { + this.monitoringRulesCount = monitoringRulesCount; + } + + public CloudWorkloadSecurityAgentPolicyAttributes name(String name) { + this.name = name; + return this; + } + + /** + * The name of the policy + * + * @return name + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_NAME) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public CloudWorkloadSecurityAgentPolicyAttributes policyVersion(String policyVersion) { + this.policyVersion = policyVersion; + return this; + } + + /** + * The version of the policy + * + * @return policyVersion + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_POLICY_VERSION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getPolicyVersion() { + return policyVersion; + } + + public void setPolicyVersion(String policyVersion) { + this.policyVersion = policyVersion; + } + + public CloudWorkloadSecurityAgentPolicyAttributes priority(Long priority) { + this.priority = priority; + return this; + } + + /** + * The priority of the policy + * + * @return priority + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_PRIORITY) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Long getPriority() { + return priority; + } + + public void setPriority(Long priority) { + this.priority = priority; + } + + public CloudWorkloadSecurityAgentPolicyAttributes ruleCount(Integer ruleCount) { + this.ruleCount = ruleCount; + return this; + } + + /** + * The number of rules in this policy maximum: 2147483647 + * + * @return ruleCount + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_RULE_COUNT) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Integer getRuleCount() { + return ruleCount; + } + + public void setRuleCount(Integer ruleCount) { + this.ruleCount = ruleCount; + } + + public CloudWorkloadSecurityAgentPolicyAttributes updateDate(Long updateDate) { + this.updateDate = updateDate; + return this; + } + + /** + * Timestamp in milliseconds when the policy was last updated + * + * @return updateDate + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_UPDATE_DATE) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Long getUpdateDate() { + return updateDate; + } + + public void setUpdateDate(Long updateDate) { + this.updateDate = updateDate; + } + + public CloudWorkloadSecurityAgentPolicyAttributes updatedAt(Long updatedAt) { + this.updatedAt = updatedAt; + return this; + } + + /** + * When the policy was last updated, timestamp in milliseconds + * + * @return updatedAt + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_UPDATED_AT) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Long getUpdatedAt() { + return updatedAt; + } + + public void setUpdatedAt(Long updatedAt) { + this.updatedAt = updatedAt; + } + + public CloudWorkloadSecurityAgentPolicyAttributes updater( + CloudWorkloadSecurityAgentPolicyUpdaterAttributes updater) { + this.updater = updater; + this.unparsed |= updater.unparsed; + return this; + } + + /** + * The attributes of the user who last updated the policy + * + * @return updater + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_UPDATER) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public CloudWorkloadSecurityAgentPolicyUpdaterAttributes getUpdater() { + return updater; + } + + public void setUpdater(CloudWorkloadSecurityAgentPolicyUpdaterAttributes updater) { + this.updater = updater; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyAttributes + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyAttributes putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyAttributes object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyAttributes cloudWorkloadSecurityAgentPolicyAttributes = + (CloudWorkloadSecurityAgentPolicyAttributes) o; + return Objects.equals( + this.blockingRulesCount, cloudWorkloadSecurityAgentPolicyAttributes.blockingRulesCount) + && Objects.equals( + this.datadogManaged, cloudWorkloadSecurityAgentPolicyAttributes.datadogManaged) + && Objects.equals(this.description, cloudWorkloadSecurityAgentPolicyAttributes.description) + && Objects.equals( + this.disabledRulesCount, cloudWorkloadSecurityAgentPolicyAttributes.disabledRulesCount) + && Objects.equals(this.enabled, cloudWorkloadSecurityAgentPolicyAttributes.enabled) + && Objects.equals(this.hostTags, cloudWorkloadSecurityAgentPolicyAttributes.hostTags) + && Objects.equals( + this.hostTagsLists, cloudWorkloadSecurityAgentPolicyAttributes.hostTagsLists) + && Objects.equals( + this.monitoringRulesCount, + cloudWorkloadSecurityAgentPolicyAttributes.monitoringRulesCount) + && Objects.equals(this.name, cloudWorkloadSecurityAgentPolicyAttributes.name) + && Objects.equals( + this.policyVersion, cloudWorkloadSecurityAgentPolicyAttributes.policyVersion) + && Objects.equals(this.priority, cloudWorkloadSecurityAgentPolicyAttributes.priority) + && Objects.equals(this.ruleCount, cloudWorkloadSecurityAgentPolicyAttributes.ruleCount) + && Objects.equals(this.updateDate, cloudWorkloadSecurityAgentPolicyAttributes.updateDate) + && Objects.equals(this.updatedAt, cloudWorkloadSecurityAgentPolicyAttributes.updatedAt) + && Objects.equals(this.updater, cloudWorkloadSecurityAgentPolicyAttributes.updater) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyAttributes.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash( + blockingRulesCount, + datadogManaged, + description, + disabledRulesCount, + enabled, + hostTags, + hostTagsLists, + monitoringRulesCount, + name, + policyVersion, + priority, + ruleCount, + updateDate, + updatedAt, + updater, + additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyAttributes {\n"); + sb.append(" blockingRulesCount: ").append(toIndentedString(blockingRulesCount)).append("\n"); + sb.append(" datadogManaged: ").append(toIndentedString(datadogManaged)).append("\n"); + sb.append(" description: ").append(toIndentedString(description)).append("\n"); + sb.append(" disabledRulesCount: ").append(toIndentedString(disabledRulesCount)).append("\n"); + sb.append(" enabled: ").append(toIndentedString(enabled)).append("\n"); + sb.append(" hostTags: ").append(toIndentedString(hostTags)).append("\n"); + sb.append(" hostTagsLists: ").append(toIndentedString(hostTagsLists)).append("\n"); + sb.append(" monitoringRulesCount: ") + .append(toIndentedString(monitoringRulesCount)) + .append("\n"); + sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" policyVersion: ").append(toIndentedString(policyVersion)).append("\n"); + sb.append(" priority: ").append(toIndentedString(priority)).append("\n"); + sb.append(" ruleCount: ").append(toIndentedString(ruleCount)).append("\n"); + sb.append(" updateDate: ").append(toIndentedString(updateDate)).append("\n"); + sb.append(" updatedAt: ").append(toIndentedString(updatedAt)).append("\n"); + sb.append(" updater: ").append(toIndentedString(updater)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateAttributes.java new file mode 100644 index 00000000000..184831c20ee --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateAttributes.java @@ -0,0 +1,281 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** Create a new Cloud Workload Security Agent policy */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyCreateAttributes.JSON_PROPERTY_DESCRIPTION, + CloudWorkloadSecurityAgentPolicyCreateAttributes.JSON_PROPERTY_ENABLED, + CloudWorkloadSecurityAgentPolicyCreateAttributes.JSON_PROPERTY_HOST_TAGS, + CloudWorkloadSecurityAgentPolicyCreateAttributes.JSON_PROPERTY_HOST_TAGS_LISTS, + CloudWorkloadSecurityAgentPolicyCreateAttributes.JSON_PROPERTY_NAME +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyCreateAttributes { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DESCRIPTION = "description"; + private String description; + + public static final String JSON_PROPERTY_ENABLED = "enabled"; + private Boolean enabled; + + public static final String JSON_PROPERTY_HOST_TAGS = "hostTags"; + private List hostTags = null; + + public static final String JSON_PROPERTY_HOST_TAGS_LISTS = "hostTagsLists"; + private List> hostTagsLists = null; + + public static final String JSON_PROPERTY_NAME = "name"; + private String name; + + public CloudWorkloadSecurityAgentPolicyCreateAttributes() {} + + @JsonCreator + public CloudWorkloadSecurityAgentPolicyCreateAttributes( + @JsonProperty(required = true, value = JSON_PROPERTY_NAME) String name) { + this.name = name; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes description(String description) { + this.description = description; + return this; + } + + /** + * The description of the policy + * + * @return description + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DESCRIPTION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getDescription() { + return description; + } + + public void setDescription(String description) { + this.description = description; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes enabled(Boolean enabled) { + this.enabled = enabled; + return this; + } + + /** + * Whether the policy is enabled + * + * @return enabled + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ENABLED) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Boolean getEnabled() { + return enabled; + } + + public void setEnabled(Boolean enabled) { + this.enabled = enabled; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes hostTags(List hostTags) { + this.hostTags = hostTags; + return this; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes addHostTagsItem(String hostTagsItem) { + if (this.hostTags == null) { + this.hostTags = new ArrayList<>(); + } + this.hostTags.add(hostTagsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed + * + * @return hostTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getHostTags() { + return hostTags; + } + + public void setHostTags(List hostTags) { + this.hostTags = hostTags; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes hostTagsLists( + List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + return this; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes addHostTagsListsItem( + List hostTagsListsItem) { + if (this.hostTagsLists == null) { + this.hostTagsLists = new ArrayList<>(); + } + this.hostTagsLists.add(hostTagsListsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the + * outer values are linked with OR + * + * @return hostTagsLists + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS_LISTS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List> getHostTagsLists() { + return hostTagsLists; + } + + public void setHostTagsLists(List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + } + + public CloudWorkloadSecurityAgentPolicyCreateAttributes name(String name) { + this.name = name; + return this; + } + + /** + * The name of the policy + * + * @return name + */ + @JsonProperty(JSON_PROPERTY_NAME) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyCreateAttributes + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyCreateAttributes putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyCreateAttributes object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyCreateAttributes + cloudWorkloadSecurityAgentPolicyCreateAttributes = + (CloudWorkloadSecurityAgentPolicyCreateAttributes) o; + return Objects.equals( + this.description, cloudWorkloadSecurityAgentPolicyCreateAttributes.description) + && Objects.equals(this.enabled, cloudWorkloadSecurityAgentPolicyCreateAttributes.enabled) + && Objects.equals(this.hostTags, cloudWorkloadSecurityAgentPolicyCreateAttributes.hostTags) + && Objects.equals( + this.hostTagsLists, cloudWorkloadSecurityAgentPolicyCreateAttributes.hostTagsLists) + && Objects.equals(this.name, cloudWorkloadSecurityAgentPolicyCreateAttributes.name) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyCreateAttributes.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(description, enabled, hostTags, hostTagsLists, name, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyCreateAttributes {\n"); + sb.append(" description: ").append(toIndentedString(description)).append("\n"); + sb.append(" enabled: ").append(toIndentedString(enabled)).append("\n"); + sb.append(" hostTags: ").append(toIndentedString(hostTags)).append("\n"); + sb.append(" hostTagsLists: ").append(toIndentedString(hostTagsLists)).append("\n"); + sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateData.java new file mode 100644 index 00000000000..daee5ccc573 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateData.java @@ -0,0 +1,188 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Object for a single Agent rule */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyCreateData.JSON_PROPERTY_ATTRIBUTES, + CloudWorkloadSecurityAgentPolicyCreateData.JSON_PROPERTY_TYPE +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyCreateData { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_ATTRIBUTES = "attributes"; + private CloudWorkloadSecurityAgentPolicyCreateAttributes attributes; + + public static final String JSON_PROPERTY_TYPE = "type"; + private CloudWorkloadSecurityAgentPolicyType type = CloudWorkloadSecurityAgentPolicyType.POLICY; + + public CloudWorkloadSecurityAgentPolicyCreateData() {} + + @JsonCreator + public CloudWorkloadSecurityAgentPolicyCreateData( + @JsonProperty(required = true, value = JSON_PROPERTY_ATTRIBUTES) + CloudWorkloadSecurityAgentPolicyCreateAttributes attributes, + @JsonProperty(required = true, value = JSON_PROPERTY_TYPE) + CloudWorkloadSecurityAgentPolicyType type) { + this.attributes = attributes; + this.unparsed |= attributes.unparsed; + this.type = type; + this.unparsed |= !type.isValid(); + } + + public CloudWorkloadSecurityAgentPolicyCreateData attributes( + CloudWorkloadSecurityAgentPolicyCreateAttributes attributes) { + this.attributes = attributes; + this.unparsed |= attributes.unparsed; + return this; + } + + /** + * Create a new Cloud Workload Security Agent policy + * + * @return attributes + */ + @JsonProperty(JSON_PROPERTY_ATTRIBUTES) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyCreateAttributes getAttributes() { + return attributes; + } + + public void setAttributes(CloudWorkloadSecurityAgentPolicyCreateAttributes attributes) { + this.attributes = attributes; + } + + public CloudWorkloadSecurityAgentPolicyCreateData type( + CloudWorkloadSecurityAgentPolicyType type) { + this.type = type; + this.unparsed |= !type.isValid(); + return this; + } + + /** + * The type of the resource, must always be policy + * + * @return type + */ + @JsonProperty(JSON_PROPERTY_TYPE) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyType getType() { + return type; + } + + public void setType(CloudWorkloadSecurityAgentPolicyType type) { + if (!type.isValid()) { + this.unparsed = true; + } + this.type = type; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyCreateData + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyCreateData putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyCreateData object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyCreateData cloudWorkloadSecurityAgentPolicyCreateData = + (CloudWorkloadSecurityAgentPolicyCreateData) o; + return Objects.equals(this.attributes, cloudWorkloadSecurityAgentPolicyCreateData.attributes) + && Objects.equals(this.type, cloudWorkloadSecurityAgentPolicyCreateData.type) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyCreateData.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(attributes, type, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyCreateData {\n"); + sb.append(" attributes: ").append(toIndentedString(attributes)).append("\n"); + sb.append(" type: ").append(toIndentedString(type)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateRequest.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateRequest.java new file mode 100644 index 00000000000..6d4b6bb78fa --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyCreateRequest.java @@ -0,0 +1,151 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Request object that includes the Agent policy to create */ +@JsonPropertyOrder({CloudWorkloadSecurityAgentPolicyCreateRequest.JSON_PROPERTY_DATA}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyCreateRequest { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DATA = "data"; + private CloudWorkloadSecurityAgentPolicyCreateData data; + + public CloudWorkloadSecurityAgentPolicyCreateRequest() {} + + @JsonCreator + public CloudWorkloadSecurityAgentPolicyCreateRequest( + @JsonProperty(required = true, value = JSON_PROPERTY_DATA) + CloudWorkloadSecurityAgentPolicyCreateData data) { + this.data = data; + this.unparsed |= data.unparsed; + } + + public CloudWorkloadSecurityAgentPolicyCreateRequest data( + CloudWorkloadSecurityAgentPolicyCreateData data) { + this.data = data; + this.unparsed |= data.unparsed; + return this; + } + + /** + * Object for a single Agent rule + * + * @return data + */ + @JsonProperty(JSON_PROPERTY_DATA) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyCreateData getData() { + return data; + } + + public void setData(CloudWorkloadSecurityAgentPolicyCreateData data) { + this.data = data; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyCreateRequest + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyCreateRequest putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyCreateRequest object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyCreateRequest cloudWorkloadSecurityAgentPolicyCreateRequest = + (CloudWorkloadSecurityAgentPolicyCreateRequest) o; + return Objects.equals(this.data, cloudWorkloadSecurityAgentPolicyCreateRequest.data) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyCreateRequest.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(data, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyCreateRequest {\n"); + sb.append(" data: ").append(toIndentedString(data)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyData.java new file mode 100644 index 00000000000..f08fad627af --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyData.java @@ -0,0 +1,199 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Object for a single Agent policy */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyData.JSON_PROPERTY_ATTRIBUTES, + CloudWorkloadSecurityAgentPolicyData.JSON_PROPERTY_ID, + CloudWorkloadSecurityAgentPolicyData.JSON_PROPERTY_TYPE +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyData { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_ATTRIBUTES = "attributes"; + private CloudWorkloadSecurityAgentPolicyAttributes attributes; + + public static final String JSON_PROPERTY_ID = "id"; + private String id; + + public static final String JSON_PROPERTY_TYPE = "type"; + private CloudWorkloadSecurityAgentPolicyType type = CloudWorkloadSecurityAgentPolicyType.POLICY; + + public CloudWorkloadSecurityAgentPolicyData attributes( + CloudWorkloadSecurityAgentPolicyAttributes attributes) { + this.attributes = attributes; + this.unparsed |= attributes.unparsed; + return this; + } + + /** + * A Cloud Workload Security Agent policy returned by the API + * + * @return attributes + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ATTRIBUTES) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public CloudWorkloadSecurityAgentPolicyAttributes getAttributes() { + return attributes; + } + + public void setAttributes(CloudWorkloadSecurityAgentPolicyAttributes attributes) { + this.attributes = attributes; + } + + public CloudWorkloadSecurityAgentPolicyData id(String id) { + this.id = id; + return this; + } + + /** + * The ID of the Agent policy + * + * @return id + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ID) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getId() { + return id; + } + + public void setId(String id) { + this.id = id; + } + + public CloudWorkloadSecurityAgentPolicyData type(CloudWorkloadSecurityAgentPolicyType type) { + this.type = type; + this.unparsed |= !type.isValid(); + return this; + } + + /** + * The type of the resource, must always be policy + * + * @return type + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_TYPE) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public CloudWorkloadSecurityAgentPolicyType getType() { + return type; + } + + public void setType(CloudWorkloadSecurityAgentPolicyType type) { + if (!type.isValid()) { + this.unparsed = true; + } + this.type = type; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyData + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyData putAdditionalProperty(String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyData object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyData cloudWorkloadSecurityAgentPolicyData = + (CloudWorkloadSecurityAgentPolicyData) o; + return Objects.equals(this.attributes, cloudWorkloadSecurityAgentPolicyData.attributes) + && Objects.equals(this.id, cloudWorkloadSecurityAgentPolicyData.id) + && Objects.equals(this.type, cloudWorkloadSecurityAgentPolicyData.type) + && Objects.equals( + this.additionalProperties, cloudWorkloadSecurityAgentPolicyData.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(attributes, id, type, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyData {\n"); + sb.append(" attributes: ").append(toIndentedString(attributes)).append("\n"); + sb.append(" id: ").append(toIndentedString(id)).append("\n"); + sb.append(" type: ").append(toIndentedString(type)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyResponse.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyResponse.java new file mode 100644 index 00000000000..f71564b299d --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyResponse.java @@ -0,0 +1,139 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Response object that includes an Agent policy */ +@JsonPropertyOrder({CloudWorkloadSecurityAgentPolicyResponse.JSON_PROPERTY_DATA}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyResponse { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DATA = "data"; + private CloudWorkloadSecurityAgentPolicyData data; + + public CloudWorkloadSecurityAgentPolicyResponse data(CloudWorkloadSecurityAgentPolicyData data) { + this.data = data; + this.unparsed |= data.unparsed; + return this; + } + + /** + * Object for a single Agent policy + * + * @return data + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DATA) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public CloudWorkloadSecurityAgentPolicyData getData() { + return data; + } + + public void setData(CloudWorkloadSecurityAgentPolicyData data) { + this.data = data; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyResponse + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyResponse putAdditionalProperty(String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyResponse object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyResponse cloudWorkloadSecurityAgentPolicyResponse = + (CloudWorkloadSecurityAgentPolicyResponse) o; + return Objects.equals(this.data, cloudWorkloadSecurityAgentPolicyResponse.data) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyResponse.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(data, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyResponse {\n"); + sb.append(" data: ").append(toIndentedString(data)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyType.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyType.java new file mode 100644 index 00000000000..e4021409f92 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyType.java @@ -0,0 +1,59 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.datadog.api.client.ModelEnum; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.SerializerProvider; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.databind.ser.std.StdSerializer; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** The type of the resource, must always be policy */ +@JsonSerialize( + using = + CloudWorkloadSecurityAgentPolicyType.CloudWorkloadSecurityAgentPolicyTypeSerializer.class) +public class CloudWorkloadSecurityAgentPolicyType extends ModelEnum { + + private static final Set allowedValues = new HashSet(Arrays.asList("policy")); + + public static final CloudWorkloadSecurityAgentPolicyType POLICY = + new CloudWorkloadSecurityAgentPolicyType("policy"); + + CloudWorkloadSecurityAgentPolicyType(String value) { + super(value, allowedValues); + } + + public static class CloudWorkloadSecurityAgentPolicyTypeSerializer + extends StdSerializer { + public CloudWorkloadSecurityAgentPolicyTypeSerializer( + Class t) { + super(t); + } + + public CloudWorkloadSecurityAgentPolicyTypeSerializer() { + this(null); + } + + @Override + public void serialize( + CloudWorkloadSecurityAgentPolicyType value, JsonGenerator jgen, SerializerProvider provider) + throws IOException, JsonProcessingException { + jgen.writeObject(value.value); + } + } + + @JsonCreator + public static CloudWorkloadSecurityAgentPolicyType fromValue(String value) { + return new CloudWorkloadSecurityAgentPolicyType(value); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateAttributes.java new file mode 100644 index 00000000000..91930b7514b --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateAttributes.java @@ -0,0 +1,273 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** Update an existing Cloud Workload Security Agent policy */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyUpdateAttributes.JSON_PROPERTY_DESCRIPTION, + CloudWorkloadSecurityAgentPolicyUpdateAttributes.JSON_PROPERTY_ENABLED, + CloudWorkloadSecurityAgentPolicyUpdateAttributes.JSON_PROPERTY_HOST_TAGS, + CloudWorkloadSecurityAgentPolicyUpdateAttributes.JSON_PROPERTY_HOST_TAGS_LISTS, + CloudWorkloadSecurityAgentPolicyUpdateAttributes.JSON_PROPERTY_NAME +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyUpdateAttributes { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DESCRIPTION = "description"; + private String description; + + public static final String JSON_PROPERTY_ENABLED = "enabled"; + private Boolean enabled; + + public static final String JSON_PROPERTY_HOST_TAGS = "hostTags"; + private List hostTags = null; + + public static final String JSON_PROPERTY_HOST_TAGS_LISTS = "hostTagsLists"; + private List> hostTagsLists = null; + + public static final String JSON_PROPERTY_NAME = "name"; + private String name; + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes description(String description) { + this.description = description; + return this; + } + + /** + * The description of the policy + * + * @return description + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DESCRIPTION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getDescription() { + return description; + } + + public void setDescription(String description) { + this.description = description; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes enabled(Boolean enabled) { + this.enabled = enabled; + return this; + } + + /** + * Whether the policy is enabled + * + * @return enabled + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ENABLED) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Boolean getEnabled() { + return enabled; + } + + public void setEnabled(Boolean enabled) { + this.enabled = enabled; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes hostTags(List hostTags) { + this.hostTags = hostTags; + return this; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes addHostTagsItem(String hostTagsItem) { + if (this.hostTags == null) { + this.hostTags = new ArrayList<>(); + } + this.hostTags.add(hostTagsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed + * + * @return hostTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getHostTags() { + return hostTags; + } + + public void setHostTags(List hostTags) { + this.hostTags = hostTags; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes hostTagsLists( + List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + return this; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes addHostTagsListsItem( + List hostTagsListsItem) { + if (this.hostTagsLists == null) { + this.hostTagsLists = new ArrayList<>(); + } + this.hostTagsLists.add(hostTagsListsItem); + return this; + } + + /** + * The host tags defining where this policy is deployed, the inner values are linked with AND, the + * outer values are linked with OR + * + * @return hostTagsLists + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HOST_TAGS_LISTS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List> getHostTagsLists() { + return hostTagsLists; + } + + public void setHostTagsLists(List> hostTagsLists) { + this.hostTagsLists = hostTagsLists; + } + + public CloudWorkloadSecurityAgentPolicyUpdateAttributes name(String name) { + this.name = name; + return this; + } + + /** + * The name of the policy + * + * @return name + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_NAME) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyUpdateAttributes + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyUpdateAttributes putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyUpdateAttributes object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyUpdateAttributes + cloudWorkloadSecurityAgentPolicyUpdateAttributes = + (CloudWorkloadSecurityAgentPolicyUpdateAttributes) o; + return Objects.equals( + this.description, cloudWorkloadSecurityAgentPolicyUpdateAttributes.description) + && Objects.equals(this.enabled, cloudWorkloadSecurityAgentPolicyUpdateAttributes.enabled) + && Objects.equals(this.hostTags, cloudWorkloadSecurityAgentPolicyUpdateAttributes.hostTags) + && Objects.equals( + this.hostTagsLists, cloudWorkloadSecurityAgentPolicyUpdateAttributes.hostTagsLists) + && Objects.equals(this.name, cloudWorkloadSecurityAgentPolicyUpdateAttributes.name) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyUpdateAttributes.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(description, enabled, hostTags, hostTagsLists, name, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyUpdateAttributes {\n"); + sb.append(" description: ").append(toIndentedString(description)).append("\n"); + sb.append(" enabled: ").append(toIndentedString(enabled)).append("\n"); + sb.append(" hostTags: ").append(toIndentedString(hostTags)).append("\n"); + sb.append(" hostTagsLists: ").append(toIndentedString(hostTagsLists)).append("\n"); + sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateData.java new file mode 100644 index 00000000000..f212e600c6d --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateData.java @@ -0,0 +1,215 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Object for a single Agent policy */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyUpdateData.JSON_PROPERTY_ATTRIBUTES, + CloudWorkloadSecurityAgentPolicyUpdateData.JSON_PROPERTY_ID, + CloudWorkloadSecurityAgentPolicyUpdateData.JSON_PROPERTY_TYPE +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyUpdateData { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_ATTRIBUTES = "attributes"; + private CloudWorkloadSecurityAgentPolicyUpdateAttributes attributes; + + public static final String JSON_PROPERTY_ID = "id"; + private String id; + + public static final String JSON_PROPERTY_TYPE = "type"; + private CloudWorkloadSecurityAgentPolicyType type = CloudWorkloadSecurityAgentPolicyType.POLICY; + + public CloudWorkloadSecurityAgentPolicyUpdateData() {} + + @JsonCreator + public CloudWorkloadSecurityAgentPolicyUpdateData( + @JsonProperty(required = true, value = JSON_PROPERTY_ATTRIBUTES) + CloudWorkloadSecurityAgentPolicyUpdateAttributes attributes, + @JsonProperty(required = true, value = JSON_PROPERTY_TYPE) + CloudWorkloadSecurityAgentPolicyType type) { + this.attributes = attributes; + this.unparsed |= attributes.unparsed; + this.type = type; + this.unparsed |= !type.isValid(); + } + + public CloudWorkloadSecurityAgentPolicyUpdateData attributes( + CloudWorkloadSecurityAgentPolicyUpdateAttributes attributes) { + this.attributes = attributes; + this.unparsed |= attributes.unparsed; + return this; + } + + /** + * Update an existing Cloud Workload Security Agent policy + * + * @return attributes + */ + @JsonProperty(JSON_PROPERTY_ATTRIBUTES) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyUpdateAttributes getAttributes() { + return attributes; + } + + public void setAttributes(CloudWorkloadSecurityAgentPolicyUpdateAttributes attributes) { + this.attributes = attributes; + } + + public CloudWorkloadSecurityAgentPolicyUpdateData id(String id) { + this.id = id; + return this; + } + + /** + * The ID of the Agent policy + * + * @return id + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ID) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getId() { + return id; + } + + public void setId(String id) { + this.id = id; + } + + public CloudWorkloadSecurityAgentPolicyUpdateData type( + CloudWorkloadSecurityAgentPolicyType type) { + this.type = type; + this.unparsed |= !type.isValid(); + return this; + } + + /** + * The type of the resource, must always be policy + * + * @return type + */ + @JsonProperty(JSON_PROPERTY_TYPE) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyType getType() { + return type; + } + + public void setType(CloudWorkloadSecurityAgentPolicyType type) { + if (!type.isValid()) { + this.unparsed = true; + } + this.type = type; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyUpdateData + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyUpdateData putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyUpdateData object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyUpdateData cloudWorkloadSecurityAgentPolicyUpdateData = + (CloudWorkloadSecurityAgentPolicyUpdateData) o; + return Objects.equals(this.attributes, cloudWorkloadSecurityAgentPolicyUpdateData.attributes) + && Objects.equals(this.id, cloudWorkloadSecurityAgentPolicyUpdateData.id) + && Objects.equals(this.type, cloudWorkloadSecurityAgentPolicyUpdateData.type) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyUpdateData.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(attributes, id, type, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyUpdateData {\n"); + sb.append(" attributes: ").append(toIndentedString(attributes)).append("\n"); + sb.append(" id: ").append(toIndentedString(id)).append("\n"); + sb.append(" type: ").append(toIndentedString(type)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateRequest.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateRequest.java new file mode 100644 index 00000000000..977a8d74d6c --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdateRequest.java @@ -0,0 +1,151 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Request object that includes the Agent policy with the attributes to update */ +@JsonPropertyOrder({CloudWorkloadSecurityAgentPolicyUpdateRequest.JSON_PROPERTY_DATA}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyUpdateRequest { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_DATA = "data"; + private CloudWorkloadSecurityAgentPolicyUpdateData data; + + public CloudWorkloadSecurityAgentPolicyUpdateRequest() {} + + @JsonCreator + public CloudWorkloadSecurityAgentPolicyUpdateRequest( + @JsonProperty(required = true, value = JSON_PROPERTY_DATA) + CloudWorkloadSecurityAgentPolicyUpdateData data) { + this.data = data; + this.unparsed |= data.unparsed; + } + + public CloudWorkloadSecurityAgentPolicyUpdateRequest data( + CloudWorkloadSecurityAgentPolicyUpdateData data) { + this.data = data; + this.unparsed |= data.unparsed; + return this; + } + + /** + * Object for a single Agent policy + * + * @return data + */ + @JsonProperty(JSON_PROPERTY_DATA) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public CloudWorkloadSecurityAgentPolicyUpdateData getData() { + return data; + } + + public void setData(CloudWorkloadSecurityAgentPolicyUpdateData data) { + this.data = data; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyUpdateRequest + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyUpdateRequest putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyUpdateRequest object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyUpdateRequest cloudWorkloadSecurityAgentPolicyUpdateRequest = + (CloudWorkloadSecurityAgentPolicyUpdateRequest) o; + return Objects.equals(this.data, cloudWorkloadSecurityAgentPolicyUpdateRequest.data) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyUpdateRequest.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(data, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyUpdateRequest {\n"); + sb.append(" data: ").append(toIndentedString(data)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.java new file mode 100644 index 00000000000..d9584a11d08 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentPolicyUpdaterAttributes.java @@ -0,0 +1,180 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; +import org.openapitools.jackson.nullable.JsonNullable; + +/** The attributes of the user who last updated the policy */ +@JsonPropertyOrder({ + CloudWorkloadSecurityAgentPolicyUpdaterAttributes.JSON_PROPERTY_HANDLE, + CloudWorkloadSecurityAgentPolicyUpdaterAttributes.JSON_PROPERTY_NAME +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class CloudWorkloadSecurityAgentPolicyUpdaterAttributes { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_HANDLE = "handle"; + private String handle; + + public static final String JSON_PROPERTY_NAME = "name"; + private JsonNullable name = JsonNullable.undefined(); + + public CloudWorkloadSecurityAgentPolicyUpdaterAttributes handle(String handle) { + this.handle = handle; + return this; + } + + /** + * The handle of the user + * + * @return handle + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_HANDLE) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getHandle() { + return handle; + } + + public void setHandle(String handle) { + this.handle = handle; + } + + public CloudWorkloadSecurityAgentPolicyUpdaterAttributes name(String name) { + this.name = JsonNullable.of(name); + return this; + } + + /** + * The name of the user + * + * @return name + */ + @jakarta.annotation.Nullable + @JsonIgnore + public String getName() { + return name.orElse(null); + } + + @JsonProperty(JSON_PROPERTY_NAME) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public JsonNullable getName_JsonNullable() { + return name; + } + + @JsonProperty(JSON_PROPERTY_NAME) + public void setName_JsonNullable(JsonNullable name) { + this.name = name; + } + + public void setName(String name) { + this.name = JsonNullable.of(name); + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return CloudWorkloadSecurityAgentPolicyUpdaterAttributes + */ + @JsonAnySetter + public CloudWorkloadSecurityAgentPolicyUpdaterAttributes putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this CloudWorkloadSecurityAgentPolicyUpdaterAttributes object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + CloudWorkloadSecurityAgentPolicyUpdaterAttributes + cloudWorkloadSecurityAgentPolicyUpdaterAttributes = + (CloudWorkloadSecurityAgentPolicyUpdaterAttributes) o; + return Objects.equals(this.handle, cloudWorkloadSecurityAgentPolicyUpdaterAttributes.handle) + && Objects.equals(this.name, cloudWorkloadSecurityAgentPolicyUpdaterAttributes.name) + && Objects.equals( + this.additionalProperties, + cloudWorkloadSecurityAgentPolicyUpdaterAttributes.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(handle, name, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class CloudWorkloadSecurityAgentPolicyUpdaterAttributes {\n"); + sb.append(" handle: ").append(toIndentedString(handle)).append("\n"); + sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAction.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAction.java index e2414d9a728..5f9c29a775f 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAction.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAction.java @@ -16,7 +16,7 @@ import java.util.Map; import java.util.Objects; -/** The action the rule can perform if triggered. */ +/** The action the rule can perform if triggered */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleAction.JSON_PROPERTY_FILTER, CloudWorkloadSecurityAgentRuleAction.JSON_PROPERTY_KILL diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAttributes.java index 21bd61b9d1e..bcd662fce68 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAttributes.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleAttributes.java @@ -19,7 +19,7 @@ import java.util.Objects; import org.openapitools.jackson.nullable.JsonNullable; -/** A Cloud Workload Security Agent rule returned by the API. */ +/** A Cloud Workload Security Agent rule returned by the API */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_ACTIONS, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_AGENT_CONSTRAINT, @@ -33,6 +33,7 @@ CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_EXPRESSION, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_FILTERS, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_NAME, + CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_PRODUCT_TAGS, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_UPDATE_AUTHOR_UU_ID, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_UPDATE_DATE, CloudWorkloadSecurityAgentRuleAttributes.JSON_PROPERTY_UPDATED_AT, @@ -80,6 +81,9 @@ public class CloudWorkloadSecurityAgentRuleAttributes { public static final String JSON_PROPERTY_NAME = "name"; private String name; + public static final String JSON_PROPERTY_PRODUCT_TAGS = "product_tags"; + private List productTags = null; + public static final String JSON_PROPERTY_UPDATE_AUTHOR_UU_ID = "updateAuthorUuId"; private String updateAuthorUuId; @@ -115,7 +119,7 @@ public CloudWorkloadSecurityAgentRuleAttributes addActionsItem( } /** - * The array of actions the rule can perform if triggered. + * The array of actions the rule can perform if triggered * * @return actions */ @@ -147,7 +151,7 @@ public CloudWorkloadSecurityAgentRuleAttributes agentConstraint(String agentCons } /** - * The version of the agent. + * The version of the Agent * * @return agentConstraint */ @@ -168,7 +172,7 @@ public CloudWorkloadSecurityAgentRuleAttributes category(String category) { } /** - * The category of the Agent rule. + * The category of the Agent rule * * @return category */ @@ -189,7 +193,7 @@ public CloudWorkloadSecurityAgentRuleAttributes creationAuthorUuId(String creati } /** - * The ID of the user who created the rule. + * The ID of the user who created the rule * * @return creationAuthorUuId */ @@ -210,7 +214,7 @@ public CloudWorkloadSecurityAgentRuleAttributes creationDate(Long creationDate) } /** - * When the Agent rule was created, timestamp in milliseconds. + * When the Agent rule was created, timestamp in milliseconds * * @return creationDate */ @@ -233,7 +237,7 @@ public CloudWorkloadSecurityAgentRuleAttributes creator( } /** - * The attributes of the user who created the Agent rule. + * The attributes of the user who created the Agent rule * * @return creator */ @@ -254,7 +258,7 @@ public CloudWorkloadSecurityAgentRuleAttributes defaultRule(Boolean defaultRule) } /** - * Whether the rule is included by default. + * Whether the rule is included by default * * @return defaultRule */ @@ -275,7 +279,7 @@ public CloudWorkloadSecurityAgentRuleAttributes description(String description) } /** - * The description of the Agent rule. + * The description of the Agent rule * * @return description */ @@ -296,7 +300,7 @@ public CloudWorkloadSecurityAgentRuleAttributes enabled(Boolean enabled) { } /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled * * @return enabled */ @@ -317,7 +321,7 @@ public CloudWorkloadSecurityAgentRuleAttributes expression(String expression) { } /** - * The SECL expression of the Agent rule. + * The SECL expression of the Agent rule * * @return expression */ @@ -346,7 +350,7 @@ public CloudWorkloadSecurityAgentRuleAttributes addFiltersItem(String filtersIte } /** - * The platforms the Agent rule is supported on. + * The platforms the Agent rule is supported on * * @return filters */ @@ -367,7 +371,7 @@ public CloudWorkloadSecurityAgentRuleAttributes name(String name) { } /** - * The name of the Agent rule. + * The name of the Agent rule * * @return name */ @@ -382,13 +386,42 @@ public void setName(String name) { this.name = name; } + public CloudWorkloadSecurityAgentRuleAttributes productTags(List productTags) { + this.productTags = productTags; + return this; + } + + public CloudWorkloadSecurityAgentRuleAttributes addProductTagsItem(String productTagsItem) { + if (this.productTags == null) { + this.productTags = new ArrayList<>(); + } + this.productTags.add(productTagsItem); + return this; + } + + /** + * The list of product tags associated with the rule + * + * @return productTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_PRODUCT_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getProductTags() { + return productTags; + } + + public void setProductTags(List productTags) { + this.productTags = productTags; + } + public CloudWorkloadSecurityAgentRuleAttributes updateAuthorUuId(String updateAuthorUuId) { this.updateAuthorUuId = updateAuthorUuId; return this; } /** - * The ID of the user who updated the rule. + * The ID of the user who updated the rule * * @return updateAuthorUuId */ @@ -409,7 +442,7 @@ public CloudWorkloadSecurityAgentRuleAttributes updateDate(Long updateDate) { } /** - * Timestamp in milliseconds when the Agent rule was last updated. + * Timestamp in milliseconds when the Agent rule was last updated * * @return updateDate */ @@ -430,7 +463,7 @@ public CloudWorkloadSecurityAgentRuleAttributes updatedAt(Long updatedAt) { } /** - * When the Agent rule was last updated, timestamp in milliseconds. + * When the Agent rule was last updated, timestamp in milliseconds * * @return updatedAt */ @@ -453,7 +486,7 @@ public CloudWorkloadSecurityAgentRuleAttributes updater( } /** - * The attributes of the user who last updated the Agent rule. + * The attributes of the user who last updated the Agent rule * * @return updater */ @@ -474,7 +507,7 @@ public CloudWorkloadSecurityAgentRuleAttributes version(Long version) { } /** - * The version of the Agent rule. + * The version of the Agent rule * * @return version */ @@ -560,6 +593,7 @@ public boolean equals(Object o) { && Objects.equals(this.expression, cloudWorkloadSecurityAgentRuleAttributes.expression) && Objects.equals(this.filters, cloudWorkloadSecurityAgentRuleAttributes.filters) && Objects.equals(this.name, cloudWorkloadSecurityAgentRuleAttributes.name) + && Objects.equals(this.productTags, cloudWorkloadSecurityAgentRuleAttributes.productTags) && Objects.equals( this.updateAuthorUuId, cloudWorkloadSecurityAgentRuleAttributes.updateAuthorUuId) && Objects.equals(this.updateDate, cloudWorkloadSecurityAgentRuleAttributes.updateDate) @@ -586,6 +620,7 @@ public int hashCode() { expression, filters, name, + productTags, updateAuthorUuId, updateDate, updatedAt, @@ -610,6 +645,7 @@ public String toString() { sb.append(" expression: ").append(toIndentedString(expression)).append("\n"); sb.append(" filters: ").append(toIndentedString(filters)).append("\n"); sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" productTags: ").append(toIndentedString(productTags)).append("\n"); sb.append(" updateAuthorUuId: ").append(toIndentedString(updateAuthorUuId)).append("\n"); sb.append(" updateDate: ").append(toIndentedString(updateDate)).append("\n"); sb.append(" updatedAt: ").append(toIndentedString(updatedAt)).append("\n"); diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateAttributes.java index e77426c2345..2a6a3f1cbf9 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateAttributes.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateAttributes.java @@ -25,7 +25,9 @@ CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_ENABLED, CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_EXPRESSION, CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_FILTERS, - CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_NAME + CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_NAME, + CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_POLICY_ID, + CloudWorkloadSecurityAgentRuleCreateAttributes.JSON_PROPERTY_PRODUCT_TAGS }) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -46,6 +48,12 @@ public class CloudWorkloadSecurityAgentRuleCreateAttributes { public static final String JSON_PROPERTY_NAME = "name"; private String name; + public static final String JSON_PROPERTY_POLICY_ID = "policy_id"; + private String policyId; + + public static final String JSON_PROPERTY_PRODUCT_TAGS = "product_tags"; + private List productTags = null; + public CloudWorkloadSecurityAgentRuleCreateAttributes() {} @JsonCreator @@ -83,7 +91,7 @@ public CloudWorkloadSecurityAgentRuleCreateAttributes enabled(Boolean enabled) { } /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled * * @return enabled */ @@ -132,7 +140,7 @@ public CloudWorkloadSecurityAgentRuleCreateAttributes addFiltersItem(String filt } /** - * The platforms the Agent rule is supported on. + * The platforms the Agent rule is supported on * * @return filters */ @@ -167,6 +175,56 @@ public void setName(String name) { this.name = name; } + public CloudWorkloadSecurityAgentRuleCreateAttributes policyId(String policyId) { + this.policyId = policyId; + return this; + } + + /** + * The ID of the policy where the Agent rule is saved + * + * @return policyId + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_POLICY_ID) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getPolicyId() { + return policyId; + } + + public void setPolicyId(String policyId) { + this.policyId = policyId; + } + + public CloudWorkloadSecurityAgentRuleCreateAttributes productTags(List productTags) { + this.productTags = productTags; + return this; + } + + public CloudWorkloadSecurityAgentRuleCreateAttributes addProductTagsItem(String productTagsItem) { + if (this.productTags == null) { + this.productTags = new ArrayList<>(); + } + this.productTags.add(productTagsItem); + return this; + } + + /** + * The list of product tags associated with the rule + * + * @return productTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_PRODUCT_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getProductTags() { + return productTags; + } + + public void setProductTags(List productTags) { + this.productTags = productTags; + } + /** * A container for additional, undeclared properties. This is a holder for any undeclared * properties as specified with the 'additionalProperties' keyword in the OAS document. @@ -232,6 +290,9 @@ public boolean equals(Object o) { this.expression, cloudWorkloadSecurityAgentRuleCreateAttributes.expression) && Objects.equals(this.filters, cloudWorkloadSecurityAgentRuleCreateAttributes.filters) && Objects.equals(this.name, cloudWorkloadSecurityAgentRuleCreateAttributes.name) + && Objects.equals(this.policyId, cloudWorkloadSecurityAgentRuleCreateAttributes.policyId) + && Objects.equals( + this.productTags, cloudWorkloadSecurityAgentRuleCreateAttributes.productTags) && Objects.equals( this.additionalProperties, cloudWorkloadSecurityAgentRuleCreateAttributes.additionalProperties); @@ -239,7 +300,15 @@ public boolean equals(Object o) { @Override public int hashCode() { - return Objects.hash(description, enabled, expression, filters, name, additionalProperties); + return Objects.hash( + description, + enabled, + expression, + filters, + name, + policyId, + productTags, + additionalProperties); } @Override @@ -251,6 +320,8 @@ public String toString() { sb.append(" expression: ").append(toIndentedString(expression)).append("\n"); sb.append(" filters: ").append(toIndentedString(filters)).append("\n"); sb.append(" name: ").append(toIndentedString(name)).append("\n"); + sb.append(" policyId: ").append(toIndentedString(policyId)).append("\n"); + sb.append(" productTags: ").append(toIndentedString(productTags)).append("\n"); sb.append(" additionalProperties: ") .append(toIndentedString(additionalProperties)) .append("\n"); diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateData.java index 7752486c704..8aba29023c1 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateData.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateData.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Objects; -/** Object for a single Agent rule. */ +/** Object for a single Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleCreateData.JSON_PROPERTY_ATTRIBUTES, CloudWorkloadSecurityAgentRuleCreateData.JSON_PROPERTY_TYPE @@ -75,7 +75,7 @@ public CloudWorkloadSecurityAgentRuleCreateData type(CloudWorkloadSecurityAgentR } /** - * The type of the resource. The value should always be agent_rule. + * The type of the resource, must always be agent_rule * * @return type */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateRequest.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateRequest.java index 282f3b49e0d..5c90a4c125a 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateRequest.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreateRequest.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Objects; -/** Request object that includes the Agent rule to create. */ +/** Request object that includes the Agent rule to create */ @JsonPropertyOrder({CloudWorkloadSecurityAgentRuleCreateRequest.JSON_PROPERTY_DATA}) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -44,7 +44,7 @@ public CloudWorkloadSecurityAgentRuleCreateRequest data( } /** - * Object for a single Agent rule. + * Object for a single Agent rule * * @return data */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreatorAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreatorAttributes.java index 00b6ec3b1d0..2be4780da63 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreatorAttributes.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleCreatorAttributes.java @@ -17,7 +17,7 @@ import java.util.Objects; import org.openapitools.jackson.nullable.JsonNullable; -/** The attributes of the user who created the Agent rule. */ +/** The attributes of the user who created the Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleCreatorAttributes.JSON_PROPERTY_HANDLE, CloudWorkloadSecurityAgentRuleCreatorAttributes.JSON_PROPERTY_NAME @@ -38,7 +38,7 @@ public CloudWorkloadSecurityAgentRuleCreatorAttributes handle(String handle) { } /** - * The handle of the user. + * The handle of the user * * @return handle */ @@ -59,7 +59,7 @@ public CloudWorkloadSecurityAgentRuleCreatorAttributes name(String name) { } /** - * The name of the user. + * The name of the user * * @return name */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleData.java index b56789c2188..296dfedd4b6 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleData.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleData.java @@ -16,7 +16,7 @@ import java.util.Map; import java.util.Objects; -/** Object for a single Agent rule. */ +/** Object for a single Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleData.JSON_PROPERTY_ATTRIBUTES, CloudWorkloadSecurityAgentRuleData.JSON_PROPERTY_ID, @@ -43,7 +43,7 @@ public CloudWorkloadSecurityAgentRuleData attributes( } /** - * A Cloud Workload Security Agent rule returned by the API. + * A Cloud Workload Security Agent rule returned by the API * * @return attributes */ @@ -64,7 +64,7 @@ public CloudWorkloadSecurityAgentRuleData id(String id) { } /** - * The ID of the Agent rule. + * The ID of the Agent rule * * @return id */ @@ -86,7 +86,7 @@ public CloudWorkloadSecurityAgentRuleData type(CloudWorkloadSecurityAgentRuleTyp } /** - * The type of the resource. The value should always be agent_rule. + * The type of the resource, must always be agent_rule * * @return type */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleKill.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleKill.java index 95d2b7cbcc7..c4ac8f579ae 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleKill.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleKill.java @@ -31,7 +31,7 @@ public CloudWorkloadSecurityAgentRuleKill signal(String signal) { } /** - * Supported signals for the kill system call. + * Supported signals for the kill system call * * @return signal */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleResponse.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleResponse.java index 5fb3604c54c..2156abfbdad 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleResponse.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleResponse.java @@ -16,7 +16,7 @@ import java.util.Map; import java.util.Objects; -/** Response object that includes an Agent rule. */ +/** Response object that includes an Agent rule */ @JsonPropertyOrder({CloudWorkloadSecurityAgentRuleResponse.JSON_PROPERTY_DATA}) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -32,7 +32,7 @@ public CloudWorkloadSecurityAgentRuleResponse data(CloudWorkloadSecurityAgentRul } /** - * Object for a single Agent rule. + * Object for a single Agent rule * * @return data */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleType.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleType.java index 056b115da49..2f5bf4d401a 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleType.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleType.java @@ -18,7 +18,7 @@ import java.util.HashSet; import java.util.Set; -/** The type of the resource. The value should always be agent_rule. */ +/** The type of the resource, must always be agent_rule */ @JsonSerialize( using = CloudWorkloadSecurityAgentRuleType.CloudWorkloadSecurityAgentRuleTypeSerializer.class) public class CloudWorkloadSecurityAgentRuleType extends ModelEnum { diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateAttributes.java index e5ce1fb16fc..026a416be13 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateAttributes.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateAttributes.java @@ -12,15 +12,19 @@ import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Objects; -/** Update an existing Cloud Workload Security Agent rule. */ +/** Update an existing Cloud Workload Security Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_DESCRIPTION, CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_ENABLED, - CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_EXPRESSION + CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_EXPRESSION, + CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_POLICY_ID, + CloudWorkloadSecurityAgentRuleUpdateAttributes.JSON_PROPERTY_PRODUCT_TAGS }) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -35,13 +39,19 @@ public class CloudWorkloadSecurityAgentRuleUpdateAttributes { public static final String JSON_PROPERTY_EXPRESSION = "expression"; private String expression; + public static final String JSON_PROPERTY_POLICY_ID = "policy_id"; + private String policyId; + + public static final String JSON_PROPERTY_PRODUCT_TAGS = "product_tags"; + private List productTags = null; + public CloudWorkloadSecurityAgentRuleUpdateAttributes description(String description) { this.description = description; return this; } /** - * The description of the Agent rule. + * The description of the Agent rule * * @return description */ @@ -62,7 +72,7 @@ public CloudWorkloadSecurityAgentRuleUpdateAttributes enabled(Boolean enabled) { } /** - * Whether the Agent rule is enabled. + * Whether the Agent rule is enabled * * @return enabled */ @@ -83,7 +93,7 @@ public CloudWorkloadSecurityAgentRuleUpdateAttributes expression(String expressi } /** - * The SECL expression of the Agent rule. + * The SECL expression of the Agent rule * * @return expression */ @@ -98,6 +108,56 @@ public void setExpression(String expression) { this.expression = expression; } + public CloudWorkloadSecurityAgentRuleUpdateAttributes policyId(String policyId) { + this.policyId = policyId; + return this; + } + + /** + * The ID of the policy where the Agent rule is saved + * + * @return policyId + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_POLICY_ID) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getPolicyId() { + return policyId; + } + + public void setPolicyId(String policyId) { + this.policyId = policyId; + } + + public CloudWorkloadSecurityAgentRuleUpdateAttributes productTags(List productTags) { + this.productTags = productTags; + return this; + } + + public CloudWorkloadSecurityAgentRuleUpdateAttributes addProductTagsItem(String productTagsItem) { + if (this.productTags == null) { + this.productTags = new ArrayList<>(); + } + this.productTags.add(productTagsItem); + return this; + } + + /** + * The list of product tags associated with the rule + * + * @return productTags + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_PRODUCT_TAGS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getProductTags() { + return productTags; + } + + public void setProductTags(List productTags) { + this.productTags = productTags; + } + /** * A container for additional, undeclared properties. This is a holder for any undeclared * properties as specified with the 'additionalProperties' keyword in the OAS document. @@ -161,6 +221,9 @@ public boolean equals(Object o) { && Objects.equals(this.enabled, cloudWorkloadSecurityAgentRuleUpdateAttributes.enabled) && Objects.equals( this.expression, cloudWorkloadSecurityAgentRuleUpdateAttributes.expression) + && Objects.equals(this.policyId, cloudWorkloadSecurityAgentRuleUpdateAttributes.policyId) + && Objects.equals( + this.productTags, cloudWorkloadSecurityAgentRuleUpdateAttributes.productTags) && Objects.equals( this.additionalProperties, cloudWorkloadSecurityAgentRuleUpdateAttributes.additionalProperties); @@ -168,7 +231,8 @@ public boolean equals(Object o) { @Override public int hashCode() { - return Objects.hash(description, enabled, expression, additionalProperties); + return Objects.hash( + description, enabled, expression, policyId, productTags, additionalProperties); } @Override @@ -178,6 +242,8 @@ public String toString() { sb.append(" description: ").append(toIndentedString(description)).append("\n"); sb.append(" enabled: ").append(toIndentedString(enabled)).append("\n"); sb.append(" expression: ").append(toIndentedString(expression)).append("\n"); + sb.append(" policyId: ").append(toIndentedString(policyId)).append("\n"); + sb.append(" productTags: ").append(toIndentedString(productTags)).append("\n"); sb.append(" additionalProperties: ") .append(toIndentedString(additionalProperties)) .append("\n"); diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateData.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateData.java index 8ab14b0a9cc..c3f51af6fc4 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateData.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateData.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Objects; -/** Object for a single Agent rule. */ +/** Object for a single Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleUpdateData.JSON_PROPERTY_ATTRIBUTES, CloudWorkloadSecurityAgentRuleUpdateData.JSON_PROPERTY_ID, @@ -58,7 +58,7 @@ public CloudWorkloadSecurityAgentRuleUpdateData attributes( } /** - * Update an existing Cloud Workload Security Agent rule. + * Update an existing Cloud Workload Security Agent rule * * @return attributes */ @@ -78,7 +78,7 @@ public CloudWorkloadSecurityAgentRuleUpdateData id(String id) { } /** - * The ID of the agent rule. + * The ID of the Agent rule * * @return id */ @@ -100,7 +100,7 @@ public CloudWorkloadSecurityAgentRuleUpdateData type(CloudWorkloadSecurityAgentR } /** - * The type of the resource. The value should always be agent_rule. + * The type of the resource, must always be agent_rule * * @return type */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateRequest.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateRequest.java index 6c0edd89fb6..08f80cd0857 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateRequest.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdateRequest.java @@ -17,7 +17,7 @@ import java.util.Map; import java.util.Objects; -/** Request object that includes the Agent rule with the attributes to update. */ +/** Request object that includes the Agent rule with the attributes to update */ @JsonPropertyOrder({CloudWorkloadSecurityAgentRuleUpdateRequest.JSON_PROPERTY_DATA}) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -44,7 +44,7 @@ public CloudWorkloadSecurityAgentRuleUpdateRequest data( } /** - * Object for a single Agent rule. + * Object for a single Agent rule * * @return data */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdaterAttributes.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdaterAttributes.java index 1fa0780180b..2b6cf51dfec 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdaterAttributes.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRuleUpdaterAttributes.java @@ -17,7 +17,7 @@ import java.util.Objects; import org.openapitools.jackson.nullable.JsonNullable; -/** The attributes of the user who last updated the Agent rule. */ +/** The attributes of the user who last updated the Agent rule */ @JsonPropertyOrder({ CloudWorkloadSecurityAgentRuleUpdaterAttributes.JSON_PROPERTY_HANDLE, CloudWorkloadSecurityAgentRuleUpdaterAttributes.JSON_PROPERTY_NAME @@ -38,7 +38,7 @@ public CloudWorkloadSecurityAgentRuleUpdaterAttributes handle(String handle) { } /** - * The handle of the user. + * The handle of the user * * @return handle */ @@ -59,7 +59,7 @@ public CloudWorkloadSecurityAgentRuleUpdaterAttributes name(String name) { } /** - * The name of the user. + * The name of the user * * @return name */ diff --git a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRulesListResponse.java b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRulesListResponse.java index 69bafb4c2de..dc4a8cd1f1e 100644 --- a/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRulesListResponse.java +++ b/src/main/java/com/datadog/api/client/v2/model/CloudWorkloadSecurityAgentRulesListResponse.java @@ -18,7 +18,7 @@ import java.util.Map; import java.util.Objects; -/** Response object that includes a list of Agent rule. */ +/** Response object that includes a list of Agent rule */ @JsonPropertyOrder({CloudWorkloadSecurityAgentRulesListResponse.JSON_PROPERTY_DATA}) @jakarta.annotation.Generated( value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") @@ -47,7 +47,7 @@ public CloudWorkloadSecurityAgentRulesListResponse addDataItem( } /** - * A list of Agent rules objects. + * A list of Agent rules objects * * @return data */ diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..c290cdbad60 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-04-15T09:10:06.353Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json new file mode 100644 index 00000000000..a1ad99ee09b --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json @@ -0,0 +1,32 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[],\"hostTagsLists\":[],\"name\":\"test\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"failed to create policy\"}]}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 400, + "reasonPhrase": "Bad Request" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "883ed00c-3ccd-7f5d-cf46-65bf3a474c74" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..3eef66a9c7a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-04-15T09:10:06.769Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json new file mode 100644 index 00000000000..9026c83803a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json @@ -0,0 +1,57 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"my_agent_policy\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"4op-0bb-yom\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708206895,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "f10f3f68-64cc-08b4-9f4e-80d366a5862f" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/4op-0bb-yom", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "217dfe64-1f33-003d-ee9d-203ae51dfa29" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze index c616aa2ac2c..f989accc05d 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:44.167Z \ No newline at end of file +2025-04-01T14:30:45.280Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json index 056a9e12b3b..afcbe95cd77 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == sh\",\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"mrs-qdn-jq8\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517845323,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "2c22f6b8-0057-2221-bb82-a94431d3f6f7" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"mrs-qdn-jq8\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testcreateacsmthreatsagentrulereturnsbadrequestresponse1713895064` error: rule compilation error: field `sh` not found)\"]}", + "body": "{\"errors\":[\"input_validation_error(Field 'name' is invalid: rule `my_agent_rule` error: multiple definition with the same ID)\"]}", "headers": { "Content-Type": [ "application/json" @@ -27,6 +57,31 @@ "timeToLive": { "unlimited": true }, - "id": "5ac51b84-f3dc-4859-1cb2-aee7e669dc09" + "id": "3362265e-367b-0482-ae52-3fc0311cf28b" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "a246d260-6a96-d40b-a485-5db945980300" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze index 42b749c2db2..d00c1e7e923 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-05-22T16:22:22.200Z \ No newline at end of file +2025-04-01T14:30:46.809Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json index 1b560f38742..bed8318d216 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1716394942\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"eeq-02h-jhh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517846856,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "24980952-e327-2773-d13a-7a2db6d72809" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policy_id\":\"eeq-02h-jhh\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"pn4-mo8-u5r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716394942614,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1716394942\",\"updateDate\":1716394942614,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"ree-4gw-dk6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517847344,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"updateDate\":1743517847344,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +57,38 @@ "timeToLive": { "unlimited": true }, - "id": "cb586cad-63a8-674d-5f80-7a5bffb9811b" + "id": "2fb8bdf9-13e6-e45f-a56d-91cb471a44fa" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "2c9c987d-5731-42d2-3375-605a60a90870" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/pn4-mo8-u5r", + "path": "/api/v2/remote_config/products/cws/policy/eeq-02h-jhh", "keepAlive": false, "secure": true }, @@ -52,6 +107,6 @@ "timeToLive": { "unlimited": true }, - "id": "af4f504c-a69c-e094-030e-fe1c443177fa" + "id": "e08a3d6a-e327-4f22-3453-dc1acfbc3c36" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze index 0086bc56597..569f1f18978 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:45.044Z \ No newline at end of file +2025-04-18T09:10:11.610Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json index 9d198b70634..fbdbd06fece 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\",\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"byc-7rh-p5l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\",\"policyVersion\":\"1\",\"priority\":1000000002,\"ruleCount\":226,\"updateDate\":1744967411964,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "3ae8b90b-9d2e-3042-3def-b6d96385b207" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1713895065` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}\n", + "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -27,6 +57,31 @@ "timeToLive": { "unlimited": true }, - "id": "8994593c-4c97-8535-429f-f708d2b005d5" + "id": "a201dc06-069a-389a-992f-d7d4af1e7d97" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/byc-7rh-p5l", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "078ed09b-2e4a-5af6-20a6-254dc85646c3" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index 0a184145e4a..8ad981fd20f 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:45.232Z \ No newline at end of file +2025-04-01T14:30:49.909Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json index 297c884fa02..ea5263ded0d 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"4o4-2ha-t4b\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517849954,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "7c285ff6-b1ea-26ec-704d-9b5f0246d02d" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"igj-qzb-9eq\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1713895065\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895065356,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895065356,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"amk-lsa-s1q\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1743517850483,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1743517850483,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "3f58a3dd-9886-b92d-0186-494e4cdb8179" + "id": "f29574c7-79d9-5925-2699-b0bbd20ea20d" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/igj-qzb-9eq", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q", "keepAlive": false, "secure": true }, @@ -48,6 +78,31 @@ "timeToLive": { "unlimited": true }, - "id": "0c1bd236-ec0c-dff6-17af-fc03ca098caf" + "id": "213da503-7db2-f282-57f9-696487873321" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "139ce589-a272-ef27-1fbf-867fa4c6b67d" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..2907715a1f0 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:30:50.953Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json new file mode 100644 index 00000000000..00ed8efa6f2 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json @@ -0,0 +1,28 @@ +[ + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/non-existent-policy-id", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"failed to delete policy\"}]}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 404, + "reasonPhrase": "Not Found" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "eb60bd34-bda7-29d5-9609-1de8ced718cf" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..b90ca64b48f --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:30:51.116Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json new file mode 100644 index 00000000000..385f324943d --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json @@ -0,0 +1,83 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"794-4tf-osj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517851168,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "0025e118-5d2c-a766-6988-d11ece091208" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/794-4tf-osj", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "c0c40bab-ba1a-b8ef-53de-f44216d37c4b" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/794-4tf-osj", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"failed to delete policy\"}]}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 404, + "reasonPhrase": "Not Found" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "c0c40bab-ba1a-b8ef-53de-f44216d37c4c" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze index 75691616f27..9c683d57fe5 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:45.602Z \ No newline at end of file +2025-04-01T14:30:52.038Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json index d45b1b2d0ee..b6e66acf8f0 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json @@ -3,7 +3,7 @@ "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz", + "path": "/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, @@ -23,6 +23,6 @@ "timeToLive": { "unlimited": true }, - "id": "ceb83d3d-046b-71c1-42fb-4beb5c1fae4a" + "id": "37943dec-e34a-4139-6fd6-39d539b08422" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze index d4cf357cdd4..369e24ad10b 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:45.727Z \ No newline at end of file +2025-04-01T14:30:52.133Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json index 89d7f446c8d..d39a9b19f43 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1713895065\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"kqm-fhb-eay\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517852178,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "4f76bbc7-21ec-50b0-bee4-961e511310a1" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policy_id\":\"kqm-fhb-eay\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"r8q-52h-8r2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895065801,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1713895065\",\"updateDate\":1713895065801,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"pjy-nkm-0wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517852458,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"updateDate\":1743517852458,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +57,18 @@ "timeToLive": { "unlimited": true }, - "id": "ee0179b3-5d7a-ff9f-fc55-c3742c3922ef" + "id": "1c8f6f2e-7e2a-a819-ee4e-c6a17d759a59" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2", + "path": "/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb", + "queryStringParameters": { + "policy_id": [ + "kqm-fhb-eay" + ] + }, "keepAlive": false, "secure": true }, @@ -52,13 +87,13 @@ "timeToLive": { "unlimited": true }, - "id": "a98fb6b3-1ebb-c73d-4156-6eb0a2fdcab5" + "id": "051dd302-ae69-4fc9-b7e1-b2374822608d" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/r8q-52h-8r2", + "path": "/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb", "keepAlive": false, "secure": true }, @@ -78,6 +113,31 @@ "timeToLive": { "unlimited": true }, - "id": "a98fb6b3-1ebb-c73d-4156-6eb0a2fdcab6" + "id": "553271fe-77cf-080d-8c01-e84523cfab6b" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/kqm-fhb-eay", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "10b0a06a-54fa-48ac-a1f6-9cf4e9e9ef1c" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index 01e15554052..c943cdfcd91 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:46.672Z \ No newline at end of file +2025-04-01T14:30:54.389Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json index 1652f89c5af..8afd74ef047 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json @@ -3,12 +3,12 @@ "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n", + "body": "{\"errors\":[\"Not found\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -23,6 +23,6 @@ "timeToLive": { "unlimited": true }, - "id": "61e04474-6a78-83ac-9581-36cfc11f87f4" + "id": "a1e7af54-a2bd-4cd0-da9e-410f5ec68aab" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index abfeb06135f..5d92123426a 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:46.852Z \ No newline at end of file +2025-04-18T09:10:13.237Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json index a2b373ca0f6..634cf10048e 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"tlm-pl7-gkc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1713895066\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895066982,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895066982,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"ghk-tsf-neq\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967413434,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967413434,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "087495b2-e3d1-1cf3-1508-673688587283" + "id": "86ecfc4f-12da-3c05-da2b-f597071d54fe" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq", "keepAlive": false, "secure": true }, @@ -48,18 +48,18 @@ "timeToLive": { "unlimited": true }, - "id": "dd833ed5-9624-1df6-1aa3-168cd6bc26d6" + "id": "2f47c18e-235c-f53d-4f7f-57599b1dcec6" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/tlm-pl7-gkc", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=tlm-pl7-gkc)\"]}\n", + "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -74,6 +74,6 @@ "timeToLive": { "unlimited": true }, - "id": "dd833ed5-9624-1df6-1aa3-168cd6bc26d7" + "id": "2f47c18e-235c-f53d-4f7f-57599b1dcec7" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..24a790d0a6e --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:30:54.462Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json new file mode 100644 index 00000000000..16f01ca3c8d --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json @@ -0,0 +1,28 @@ +[ + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/remote_config/products/cws/policy/non-existent-policy-id", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"Not Found\"}]}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 404, + "reasonPhrase": "Not Found" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "dd6eb83a-4e91-0f02-49db-26a2e3076457" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..76a83128373 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:30:54.711Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json new file mode 100644 index 00000000000..5ba2550acfd --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json @@ -0,0 +1,83 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "819fbd0e-656d-0570-1df5-8cdb4e34e693" + }, + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/remote_config/products/cws/policy/egv-qkr-ihb", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "f78656fc-8bce-c105-3d97-4a2d06011032" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/egv-qkr-ihb", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "7c1f0e88-a5c0-0171-a979-6268102a9b1c" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze index 9d08508bcfe..a6328571453 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:47.369Z \ No newline at end of file +2025-04-01T14:30:55.749Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json index 81d99801761..592b4186444 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json @@ -3,7 +3,7 @@ "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz", + "path": "/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, @@ -23,6 +23,6 @@ "timeToLive": { "unlimited": true }, - "id": "5ff31f6e-152f-01dc-8f22-48d2ff5fd80d" + "id": "e22ee5d8-7a99-d8d5-1774-a5113be6b1d8" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze index 0f762616f67..5c69286972a 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:47.555Z \ No newline at end of file +2025-04-01T14:30:56.067Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json index ce142911c30..7dfde91e1be 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"lxh-tyq-n9u\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517856115,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "b3afdaf5-8519-ae56-8384-8974c6321350" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policy_id\":\"lxh-tyq-n9u\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"6wy-t98-466\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895067605,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\",\"updateDate\":1713895067605,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856488,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856488,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,18 +57,23 @@ "timeToLive": { "unlimited": true }, - "id": "cc396698-6524-0fdd-49df-49b0c228f1f8" + "id": "27a6662f-7392-6412-b20f-f83d031acdcf" }, { "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466", + "path": "/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm", + "queryStringParameters": { + "policy_id": [ + "lxh-tyq-n9u" + ] + }, "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"6wy-t98-466\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895067000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1713895067\",\"updateDate\":1713895067000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -53,13 +88,38 @@ "timeToLive": { "unlimited": true }, - "id": "1a7aea72-7e8f-1be0-9bad-453379878e35" + "id": "9edf3fa7-1822-39c2-f6c8-b4041c573e95" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "8721cb1e-d70a-2ced-a636-c8e94ceda016" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/6wy-t98-466", + "path": "/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u", "keepAlive": false, "secure": true }, @@ -78,6 +138,6 @@ "timeToLive": { "unlimited": true }, - "id": "af9c43e1-8724-ef77-4edf-814d6081c1ae" + "id": "995c1950-79a6-e4ab-6918-978d0ac9090d" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index f72d8002ec2..881abb7569a 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:48.453Z \ No newline at end of file +2025-04-01T14:30:58.452Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json index 70be3aa1449..237161aa908 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json @@ -3,12 +3,12 @@ "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n", + "body": "{\"errors\":[\"Not found\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -23,6 +23,6 @@ "timeToLive": { "unlimited": true }, - "id": "8cf8a225-5192-3ecc-94cb-1be118b4fdc2" + "id": "58b0e427-8b1a-941f-4374-0f548704a50d" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index 2cb7e68f0f8..72cbb497c85 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:48.613Z \ No newline at end of file +2025-04-18T09:10:13.933Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json index 2b83b46b051..eeeb58fc665 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"ei4-rq6-ept\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895068731,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895068731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,18 +27,18 @@ "timeToLive": { "unlimited": true }, - "id": "0dec293b-85d2-10dd-119f-35f568a5273f" + "id": "396a5dc9-132e-919e-9d88-cf562a6e9d95" }, { "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"ei4-rq6-ept\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1713895068\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895068731,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895068731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -53,13 +53,13 @@ "timeToLive": { "unlimited": true }, - "id": "e9d2fdc2-1ea8-86bd-462b-96d289388521" + "id": "8d9f05ef-f286-26ab-9b61-6ec475d8c5a2" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ei4-rq6-ept", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g", "keepAlive": false, "secure": true }, @@ -74,6 +74,6 @@ "timeToLive": { "unlimited": true }, - "id": "86492460-d3e5-7501-1f32-18113b23cd8e" + "id": "123e0530-9270-5bba-2906-395d131199f7" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze new file mode 100644 index 00000000000..8fe4f3f1934 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:30:58.530Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json new file mode 100644 index 00000000000..3b803f7f9a5 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json @@ -0,0 +1,28 @@ +[ + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":[{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":1,\"enabled\":false,\"hostTags\":[],\"monitoringRulesCount\":418,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"53221\",\"priority\":1000000000,\"ruleCount\":419,\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.40.0-rc76\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "c11ab989-2196-f6ff-9cd9-f75438c46596" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze index 5490c515f82..7ee9fb8020f 100644 --- a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:49.136Z \ No newline at end of file +2025-04-01T14:30:58.771Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json index 65a1267d1bf..ffaf4ce98e3 100644 --- a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json @@ -8,7 +8,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":[{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"azure_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"base64_decode\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"certutil_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"common_net_intrusion_util\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compiler_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"crackmap_exec_executed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_registry_export\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_flags in [\\\"cpu-priority\\\", \\\"donate-level\\\", ~\\\"randomx-1gb-pages\\\"] || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_docker_socket\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_system_log\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_lsmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_whoami\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_wrmsr\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"executable_bit_added\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"gcp_imds\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"hidden_file_executed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"interactive_shell_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_check_domain\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\".*OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"iptables_egress_allowed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n\\u0026\\u0026 process.parent.file.name == \\\"java\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] \\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_msr_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kmod_list\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kubernetes_dns_enumeration\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\".*libpam.so.*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"libpam_ebpf_hook\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"looney_tunables_exploit\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"minidump_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_host_fs\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_file_download\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_unusual_request\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"network_sniffing_tool\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"offensive_k8s_tool\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"omigod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"open_msr_writes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"passwd_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"powershell_empire_uac_bypass\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"procdump_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-oyv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Processes were listed using the ps command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ps\\\" \\u0026\\u0026 exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] \\u0026\\u0026 process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] \\u0026\\u0026 process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ps_discovery\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_antidebug\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_injection\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] \\u0026\\u0026 open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_kubeconfig\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-rhk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"OS information was read from the /etc/lsb-release file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" \\u0026\\u0026 open.flags \\u0026 O_RDONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_release_info\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_sandbox_escape\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\CurrentVersion\\\\\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_service_runkey_modified\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"rubeus_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 chdir.file.filesystem in [\\\"cgroup\\\", \\\"cgroup2\\\"] \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_leaky_fd\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sensitive_tracing\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"service_stop\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sharpup_tool_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_symlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_profile_modification\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"\\n(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suid_file_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_bitsadmin_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.path !~ \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_dll_write\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_ntdsutil_usage\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chmod\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tty_shell_in_container\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_created_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713377577000,\"creator\":{\"name\":\"Detection Engineer\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"wmi_spawning_shell\",\"updateDate\":1713377577000,\"updater\":{\"name\":\"Detection Engineer\",\"handle\":\"\"}}}]}", + "body": "{\"data\":[{\"id\":\"50t-g20-n4o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1710772096000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"Randomname\",\"updateDate\":1710772096000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4mc-0xr-vlw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714264624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714264624\",\"updateDate\":1714264624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zu3-7yi-3w0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714696624\",\"updateDate\":1714696626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg2-lum-j2a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714783024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714783024\",\"updateDate\":1714783024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rsm-fam-pfp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714869424\",\"updateDate\":1714869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulx-voj-zk3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nio-59w-ip8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714927026000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1714927026\",\"updateDate\":1714927026000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5zt-j5u-aqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715287024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715287024\",\"updateDate\":1715287024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k8w-brg-51l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715445424\",\"updateDate\":1715445426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eue-gqs-59v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715503024\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9wz-mgt-zkp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715546226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715546226\",\"updateDate\":1715546226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fii-ysi-7bu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715618226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715618224\",\"updateDate\":1715618226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hhl-9nk-8ls\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715819826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715819824\",\"updateDate\":1715819826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rc4-b53-3sj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715863024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1715863024\",\"updateDate\":1715863024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w3d-qp8-3yb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716309424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716309424\",\"updateDate\":1716309424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"cvn-qsw-ibn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716410225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1716410224\",\"updateDate\":1716410225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vyd-2vb-tnk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738469890000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1738469890\",\"updateDate\":1738469890000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ulc-hn1-cz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725295024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023\",\"updateDate\":1725295024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"jbe-827-tq7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732768624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624\",\"updateDate\":1732768624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ezw-7rm-wca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735634224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224\",\"updateDate\":1735634224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p4n-ijm-zeu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714155721000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714155721\",\"updateDate\":1714155721000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"piq-bha-m6t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714279024\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rno-53m-mf3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714538225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714538225\",\"updateDate\":1714538225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bwj-n0m-ut5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714653425000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714653424\",\"updateDate\":1714653425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hk2-qrd-3jt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714667824\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zdz-ued-luw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714797424\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tf1-bgq-7bb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714883824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1714883824\",\"updateDate\":1714883824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"35e-29w-qhu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715128624\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"iyj-haq-dvu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373426000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715373425\",\"updateDate\":1715373426000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rgf-wo7-4fj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715402226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715402224\",\"updateDate\":1715402226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"stq-uwx-efd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715531824\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"i0b-hk0-7h3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715560625000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1715560625\",\"updateDate\":1715560625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0zl-ilo-guv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716050224\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e7g-3t1-hpu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716352624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716352624\",\"updateDate\":1716352624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qoe-y42-hqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716554224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1716554224\",\"updateDate\":1716554224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sic-1px-69u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717418225000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1717418224\",\"updateDate\":1717418225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3kk-4rm-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718426224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1718426224\",\"updateDate\":1718426224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b79-xcg-63p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719059824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719059824\",\"updateDate\":1719059824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"veg-qf4-lgr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719967025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719967024\",\"updateDate\":1719967025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ukn-yjf-h6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1719981423\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ssm-zlm-vqh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720312626000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1720312624\",\"updateDate\":1720312626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qba-1qm-uj5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721075824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721075824\",\"updateDate\":1721075824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uhw-kuq-ute\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721119025000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721119024\",\"updateDate\":1721119025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ftd-d3e-byt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721666224\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9n1-l1g-u4k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721853424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721853423\",\"updateDate\":1721853424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4qm-ikt-fpr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721954224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1721954223\",\"updateDate\":1721954224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d7t-4i4-tex\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722659826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1722659824\",\"updateDate\":1722659826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mda-uab-xow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723178226000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1723178224\",\"updateDate\":1723178226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3cv-rwp-2t7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724215024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724215024\",\"updateDate\":1724215024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vvb-sfk-jn1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724647024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724647024\",\"updateDate\":1724647024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"li0-j5t-0hv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724848624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1724848624\",\"updateDate\":1724848624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hlp-8dr-0i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725467825000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725467823\",\"updateDate\":1725467825000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xw4-uw8-mmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725885424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1725885424\",\"updateDate\":1725885424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3gw-vkx-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728419826000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1728419824\",\"updateDate\":1728419826000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xxc-35o-apy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729427824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729427824\",\"updateDate\":1729427824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3hj-2t8-ydm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1729787824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1729787824\",\"updateDate\":1729787824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt8-od0-yxu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730205424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730205423\",\"updateDate\":1730205424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"svl-2s4-jd4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730450224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730450223\",\"updateDate\":1730450224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ycc-lv0-6oj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730939824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1730939824\",\"updateDate\":1730939824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"d2g-d0v-w1l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732019824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732019824\",\"updateDate\":1732019824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7s9-sfq-2km\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732552624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732552624\",\"updateDate\":1732552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tb2-3ij-eep\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732667824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732667824\",\"updateDate\":1732667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sfj-gky-roy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732869424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732869424\",\"updateDate\":1732869424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"sz5-kvy-3kd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732927024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1732927024\",\"updateDate\":1732927024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"2vn-l1s-b0y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733013424000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733013424\",\"updateDate\":1733013424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nco-423-hiu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733531824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733531824\",\"updateDate\":1733531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l57-d8u-edg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733546224000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733546224\",\"updateDate\":1733546224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4sz-cc7-ukd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733560627000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733560624\",\"updateDate\":1733560627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o9g-ptk-2zv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733575024000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733575024\",\"updateDate\":1733575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xg0-u09-xir\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733603824000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733603824\",\"updateDate\":1733603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fog-8k1-fzi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733704624000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733704624\",\"updateDate\":1733704624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wzz-ni8-56v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733963824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1733963824\",\"updateDate\":1733963824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mdn-0hh-uw1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734050226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734050223\",\"updateDate\":1734050226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ox-06e-x4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734093424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734093423\",\"updateDate\":1734093424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uyv-a9k-8l7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734395826000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734395824\",\"updateDate\":1734395826000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5b4-k0v-rzw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734424624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734424623\",\"updateDate\":1734424624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w60-a8d-qrd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734439024000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734439023\",\"updateDate\":1734439024000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zsr-y94-6u2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734482226000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734482224\",\"updateDate\":1734482226000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0t6-uce-ee0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734899824\",\"updateDate\":1734899824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fiw-wuv-ueg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734914224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1734914224\",\"updateDate\":1734914224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n8l-rby-b42\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735072624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735072624\",\"updateDate\":1735072624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"v14-hvg-0fd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735216626000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735216624\",\"updateDate\":1735216626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"shf-bur-1id\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735288624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735288624\",\"updateDate\":1735288624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"18r-273-a6u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735547824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735547824\",\"updateDate\":1735547824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ys-tf8-u32\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735562224\",\"updateDate\":1735562224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1ej-lz6-3iy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735648624000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735648624\",\"updateDate\":1735648624000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"981-x7o-izo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735749424000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735749424\",\"updateDate\":1735749424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"897-56j-4uj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735907824000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735907823\",\"updateDate\":1735907824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f5p-men-xz3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735994224000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1735994224\",\"updateDate\":1735994224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wt2-84b-uy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737433133000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1737433133\",\"updateDate\":1737433133000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"269-p6y-i3p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1742473183000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1742473182\",\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vxv-90c-vm4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714279023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022\",\"updateDate\":1714279024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rta-b8v-4uf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714322223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222\",\"updateDate\":1714322224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qo2-qin-6hg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714351023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022\",\"updateDate\":1714351024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"aoo-snu-t5u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714423023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023\",\"updateDate\":1714423024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vsk-ewy-s83\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823\",\"updateDate\":1714451824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"o4r-6tp-yk0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714466223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223\",\"updateDate\":1714466224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"710-xzg-ays\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714480623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623\",\"updateDate\":1714480624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tjr-ib4-gya\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714509423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423\",\"updateDate\":1714509424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"yep-euy-ttp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714552623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623\",\"updateDate\":1714552624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ps4-63s-bzc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714567023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023\",\"updateDate\":1714567024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kax-qcg-qu0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714581423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423\",\"updateDate\":1714581424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"245-ynt-xcy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223\",\"updateDate\":1714610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1m6-dg0-lq9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714624623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623\",\"updateDate\":1714624624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xf-404-qez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714667823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823\",\"updateDate\":1714667824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"e6l-qo1-y2e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714682223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223\",\"updateDate\":1714682224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k95-kl4-jxt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714696623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623\",\"updateDate\":1714696627000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"es7-rhv-nra\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422\",\"updateDate\":1714797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"syl-o29-0dq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714826223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223\",\"updateDate\":1714826223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7sd-d1r-ts5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714840623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622\",\"updateDate\":1714840624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"97d-p9d-x1d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1714941423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422\",\"updateDate\":1714941424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mgl-xtg-ctl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715027823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822\",\"updateDate\":1715027824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a9f-o95-atg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622\",\"updateDate\":1715128624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rjm-biu-bqq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622\",\"updateDate\":1715272624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nor-y5a-3sn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715373423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422\",\"updateDate\":1715373424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4fo-giq-5f8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715416623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622\",\"updateDate\":1715416624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"c79-8dg-klx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715445423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422\",\"updateDate\":1715445424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f4p-2wj-hrf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715459823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822\",\"updateDate\":1715459824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"bou-hvm-24h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715474223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222\",\"updateDate\":1715474224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lf1-s8g-yf7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715503023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022\",\"updateDate\":1715503024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"krx-co0-pz2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715531823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822\",\"updateDate\":1715531824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"uqg-z0t-83n\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715575023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022\",\"updateDate\":1715575024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kid-vkk-fj9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715603823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822\",\"updateDate\":1715603824000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"h4n-yuq-2mp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715632623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622\",\"updateDate\":1715632624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ocv-we5-g5y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422\",\"updateDate\":1715661423000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mzh-gda-c24\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715762223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222\",\"updateDate\":1715762224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mtg-s1f-xy5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716050223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222\",\"updateDate\":1716050224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6ak-6po-dd6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716640623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622\",\"updateDate\":1716640624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5rb-4q9-p5g\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716813423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422\",\"updateDate\":1716813424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b7w-xgg-ocq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717130223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222\",\"updateDate\":1717130226000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1l2-7qh-mfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717432623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622\",\"updateDate\":1717432626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"m77-qgu-c48\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1717677423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422\",\"updateDate\":1717677424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"f2b-qds-3f4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1718815023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022\",\"updateDate\":1718815024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"xh4-cv2-cfa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719031023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022\",\"updateDate\":1719031024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"fxe-inc-9zj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719938223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222\",\"updateDate\":1719938225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"pb3-26n-452\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1719981423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422\",\"updateDate\":1719981424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hgr-nny-7zr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720471023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022\",\"updateDate\":1720471024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wvg-hbj-6o2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720600623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622\",\"updateDate\":1720600624000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9ji-2p2-v00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721248623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623\",\"updateDate\":1721248625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"dou-40j-cpw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721378223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223\",\"updateDate\":1721378224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qd9-39s-51s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1721666223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223\",\"updateDate\":1721666224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"g9j-hhf-7at\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1722703023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023\",\"updateDate\":1722703024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybg-c9d-29b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723034223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223\",\"updateDate\":1723034224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hsg-toh-i57\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723610223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223\",\"updateDate\":1723610224000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tiy-95c-mkc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1723797423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423\",\"updateDate\":1723797424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"7rw-grx-l7u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726331823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822\",\"updateDate\":1726331823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"k1r-tva-i6e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1727829423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422\",\"updateDate\":1727829425000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"4bk-eaa-j5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728664623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622\",\"updateDate\":1728664623000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"qk2-gkn-517\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730162223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223\",\"updateDate\":1730162225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ybl-tp8-aab\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730263023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022\",\"updateDate\":1730263025000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3xd-vam-hd2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1730479023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022\",\"updateDate\":1730479024000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ro3-z56-52j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732221423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423\",\"updateDate\":1732221424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"3ay-9ve-3i3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732451823000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822\",\"updateDate\":1732451823000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"a66-2qy-xwe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733128623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622\",\"updateDate\":1733128625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"9of-ebc-ypn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733143023000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022\",\"updateDate\":1733143023000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"b68-yq9-x3q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733200623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622\",\"updateDate\":1733200625000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ev9-rxn-om1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733272623000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622\",\"updateDate\":1733272626000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"gds-0mc-sle\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733330223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222\",\"updateDate\":1733330225000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rwf-5af-jaw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733618223000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222\",\"updateDate\":1733618223000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"z2v-n54-g9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1733661423000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422\",\"updateDate\":1733661424000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"vma-z5w-bi9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734179823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822\",\"updateDate\":1734179825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ya9-48i-611\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734496623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623\",\"updateDate\":1734496625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"l9m-5ce-g9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734525423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422\",\"updateDate\":1734525423000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kbx-ylg-k86\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734597423000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422\",\"updateDate\":1734597424000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"rec-v3q-e1c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734770223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223\",\"updateDate\":1734770227000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tr5-g9p-4jx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734799023000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023\",\"updateDate\":1734799025000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"tps-9zv-vpp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734899823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823\",\"updateDate\":1734899825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"0rc-s4t-d0f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735562223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223\",\"updateDate\":1735562225000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ekr-3xj-8yj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735619823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823\",\"updateDate\":1735619825000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"p6o-t98-nm1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735691823000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823\",\"updateDate\":1735691824000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"nue-wxi-y3i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735720623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623\",\"updateDate\":1735720626000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"w95-d3h-c3r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1735864623000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622\",\"updateDate\":1735864625000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"6w8-3xn-j4c\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736066223000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222\",\"updateDate\":1736066224000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hcr-3py-6it\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736807340000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340\",\"updateDate\":1736807342000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"00d-kfn-fwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740025013000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013\",\"updateDate\":1740025019000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ceu-3h6-qug\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740269813000,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813\",\"updateDate\":1740269814000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oed-ka8-syl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711550899000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"my_agent_rule\",\"updateDate\":1711550899000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v9x-9ib-tr7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737288363000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"im a rule\",\"enabled\":true,\"expression\":\"open.file.name == \\\"etc/shadow/password\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"qljifimbbh\",\"updateDate\":1737288363000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ast-isd-tty\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1715645381000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1715645381\",\"updateDate\":1715645381000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"9l7-am7-hy6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1736986169000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1736986169\",\"updateDate\":1736986169000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tw0-y2e-9wf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1738627773000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgocreateacsmthreatsagentrulereturnsokresponse1738627773\",\"updateDate\":1738627773000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"cdy-cvp-oqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1728617680000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679\",\"updateDate\":1728617680000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"tth-j42-vc4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1732591470000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469\",\"updateDate\":1732591470000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"lhe-ksz-xyj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1711595493000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testjavagetacsmthreatsagentrulereturnsokresponse1711595493\",\"updateDate\":1711595493000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"73h-yo0-427\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1725240870000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869\",\"updateDate\":1725240870000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ohq-oxe-jb4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1726883002000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002\",\"updateDate\":1726883002000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"912-lu2-2sg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1731203077000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077\",\"updateDate\":1731203077000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"5c8-aij-182\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1720156180000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustgetacsmthreatsagentrulereturnsokresponse1720156180\",\"updateDate\":1720156180000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"5jy-8qa-vwx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1724216976000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976\",\"updateDate\":1724216976000,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"24l-rs9-d0x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1710500975000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975\",\"updateDate\":1710500975000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"pz7-rvb-ckm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1734692969000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969\",\"updateDate\":1734692970000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"ctc-pux-luh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737951387000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387\",\"updateDate\":1737951389000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"v64-qmf-tal\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1740543488000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488\",\"updateDate\":1740543488000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"7ts-208-rn4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AppArmor profile was modified in an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"apparmor_modified_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7m7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditctl command was used to modify auditd\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"auditctl\\\" \\u0026\\u0026 exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditctl_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ly8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd configuration file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_config_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ehx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The auditd rules file was modified without using auditctl\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.name != \\\"auditctl\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"auditd_rule_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS CLI utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"aws\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_cli_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9f3-haw-91q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The AWS EKS service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_eks_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgv-wsb-pse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", ~\\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"aws_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"c2g-31u-jpk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An Azure IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"azure_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a41\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The base64 command was used to decode information\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"base64\\\" \\u0026\\u0026 exec.args_flags in [\\\"d\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"base64_decode\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4tl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Certutil was executed to transmit or decode a potentially malicious file\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"certutil.exe\\\" \\u0026\\u0026 ((exec.cmdline =~ \\\"*urlcache*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*split*\\\") || exec.cmdline =~ \\\"*decode*\\\")\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"certutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nin\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS request was made for a chatroom domain\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"chatroom_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"647-nlb-uld\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"common_net_intrusion_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"smg-le8-msf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler wrote a suspicious file in a container\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n\\u0026\\u0026 (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || process.ancestors.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"])\\n\\u0026\\u0026 process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n\\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compile_after_delivery\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ehh-ypb-9pl\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A compiler was executed inside of a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\", \\\"bcc\\\"] || (exec.file.name == \\\"go\\\" \\u0026\\u0026 exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) \\u0026\\u0026 container.id !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"compiler_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u7b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Known offensive tool crackmap exec executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*crackmapexec*\\\", ~\\\"*cme.exe*\\\", ~\\\"*cme.py*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"crackmap_exec_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"s9m-foq-qqz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"td2-31c-ln4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lli-czr-q4y\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-3b9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0yj-grp-cmx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q08-c9l-rsp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kv9-026-vhz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"credential_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-brb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"regedit used to export critical registry hive\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"reg.exe\\\", \\\"regedit.exe\\\"] \\u0026\\u0026 exec.cmdline in [~\\\"*hklm*\\\", ~\\\"*hkey_local_machine*\\\", ~\\\"*system*\\\", ~\\\"*sam*\\\", ~\\\"*security*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_registry_export\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xg6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a critical windows file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\**\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"critical_windows_files_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ogb-clp-hot\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wnk-nli-nbp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mcv-y5o-zg5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"uis-h13-41q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xa1-b6v-n2l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m23-qb9-9s8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mx-n6o-mmb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An unauthorized job was added to cron scheduling\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\", ~\\\"/etc/crontabs/**\\\"])\\n \\u0026\\u0026 process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cron_at_job_creation_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jr3-0m8-jlj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process launched with arguments associated with cryptominers\",\"enabled\":true,\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args_flags == \\\"randomx-1gb-pages\\\" || exec.args in [~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_args\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6jw\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process environment variables match cryptocurrency miner\",\"enabled\":true,\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cryptominer_envs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0fx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell process spawned from print server\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 process.parent.file.name == \\\"foomatic-rip\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"cups_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h1x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Docker socket was referenced in a cURL command\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"curl\\\" \\u0026\\u0026 exec.args_flags in [\\\"unix-socket\\\"] \\u0026\\u0026 exec.args in [~\\\"*docker.sock*\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"curl_docker_socket\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mq1-y7n-kf2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] \\u0026\\u0026\\n!(process.parent.file.name == \\\"initdb\\\" \\u0026\\u0026\\nexec.args == \\\"-c locale -a\\\") \\u0026\\u0026\\n!(process.parent.file.name == \\\"postgres\\\" \\u0026\\u0026\\nexec.args == ~\\\"*pg_wal*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"database_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0en\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The debugfs was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"debugfs\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"debugfs_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-u1r\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process deleted common system log files\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/var/run/utmp\\\", \\\"/var/log/wtmp\\\", \\\"/var/log/btmp\\\", \\\"/var/log/lastlog\\\", \\\"/var/log/faillog\\\", \\\"/var/log/syslog\\\", \\\"/var/log/messages\\\", \\\"/var/log/secure\\\", \\\"/var/log/auth.log\\\", \\\"/var/log/boot.log\\\", \\\"/var/log/kern.log\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"delete_system_log\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-juz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A privileged container was created\",\"enabled\":true,\"expression\":\"exec.file.name != \\\"\\\" \\u0026\\u0026 container.created_at \\u003c 1s \\u0026\\u0026 process.cap_permitted \\u0026 CAP_SYS_ADMIN \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"deploy_priv_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A file executed from /dev/shm/ directory\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/dev/shm/**\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"devshm_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sej-11b-ey6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation attempt\",\"enabled\":true,\"expression\":\"(splice.pipe_entry_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \\u0026\\u0026 (splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) == 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_attempt\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"422-svi-03v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Potential Dirty pipe exploitation\",\"enabled\":true,\"expression\":\"(splice.pipe_exit_flag \\u0026 PIPE_BUF_FLAG_CAN_MERGE) \\u003e 0 \\u0026\\u0026 (process.uid != 0 \\u0026\\u0026 process.gid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dirty_pipe_exploitation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-beh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dotnet_dump was used to dump a process memory\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*dotnet-dump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*collect*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"dotnet_dump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2rq-drz-11u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process unlinked a dynamic linker config file\",\"enabled\":true,\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2s5-ipa-ooo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process wrote to a dynamic linker config file\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"dynamic_linker_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4xu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the lsmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_lsmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The whoami command was executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"whoami\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_whoami\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ev8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The wrmsr program executed\",\"enabled\":true,\"expression\":\"exec.comm == \\\"wrmsr\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"exec_wrmsr\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bus\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The executable bit was added to a newly created file\",\"enabled\":true,\"expression\":\"chmod.file.in_upper_layer \\u0026\\u0026\\nchmod.file.change_time \\u003c 30s \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026\\nchmod.file.destination.mode != chmod.file.mode \\u0026\\u0026\\nchmod.file.destination.mode \\u0026 S_IXUSR|S_IXGRP|S_IXOTH \\u003e 0 \\u0026\\u0026\\nprocess.argv in [\\\"+x\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"executable_bit_added\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nv0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The rclone utility was executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"rclone\\\", \\\"rsync\\\", \\\"sftp\\\", \\\"ftp\\\", \\\"scp\\\", \\\"dcp\\\", \\\"rcp\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"file_sync_exfil\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-t06\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"find command searching for sensitive files\",\"enabled\":true,\"expression\":\"exec.comm == \\\"find\\\" \\u0026\\u0026 exec.args in [~\\\"*credentials*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"find_credentials\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ro4-rju-1vq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An GCP IMDS was called via a network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"gcp_imds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bgf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A hidden file was executed in a suspicious folder\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\".*\\\" \\u0026\\u0026 exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"hidden_file_executed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lkj-jnb-khe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An AWS IMDSv1 request was issued\",\"enabled\":false,\"expression\":\"imds.cloud_provider == \\\"aws\\\" \\u0026\\u0026 imds.aws.is_imds_v2 == false \\u0026\\u0026 process.file.name not in ${imds_v1_usage_services}\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"imds_v1_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jeh-18e-m9h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"An interactive shell was started inside of a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 exec.args_flags in [\\\"i\\\"] \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"interactive_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x7z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process executed with arguments common with Inveigh tool usage\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*SpooferIP*\\\", ~\\\"*ReplyToIPs*\\\", ~\\\"*ReplyToDomains*\\\", ~\\\"*ReplyToMACs*\\\", ~\\\"*SnifferIP*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"inveigh_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4ov-ang-2gx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a IP check service\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ip_check_domain\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-88h\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Egress traffic allowed using iptables\",\"enabled\":true,\"expression\":\"exec.comm == \\\"iptables\\\" \\u0026\\u0026 process.args in [r\\\"OUTPUT.*((25[0-5]|(2[0-4]|1\\\\d|[1-9]|)\\\\d)\\\\.?\\\\b){4}.*ACCEPT\\\"] \\u0026\\u0026 process.args not in [r\\\"(127\\\\.)|(10\\\\.)|(172\\\\.1[6-9]\\\\.)|(172\\\\.2[0-9]\\\\.)|(^172\\\\.3[0-1]\\\\.)|(192\\\\.168\\\\.)|(169\\\\.254\\\\.)\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"iptables_egress_allowed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qnj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made an outbound IRC connection\",\"enabled\":true,\"expression\":\"connect.addr.port == 6667 \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"irc_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-but\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"])\\n\\u0026\\u0026 process.parent.file.name in [\\\"java\\\", \\\"jspawnhelper\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"java_shell_execution_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Jupyter notebook executed a shell\",\"enabled\":true,\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"jupyter_shell_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"0i7-z9o-zed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The Kubernetes pod service account token was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] \\u0026\\u0026 open.file.name == \\\"token\\\" \\u0026\\u0026 process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"] \\u0026\\u0026 process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"k8s_pod_service_account_token_accessed\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"2dz-kyt-nme\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"94l-lhd-e33\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ucb-5zb-rmj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"5t3-iiv-rv5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == false \\u0026\\u0026 load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\", \\\"udp_diag\\\", \\\"inet_diag\\\"] \\u0026\\u0026 process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dkb-9ud-0ca\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container loaded a new kernel module\",\"enabled\":true,\"expression\":\"load_module.name != \\\"\\\" \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"lrg-avx-x1k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"gx3-4a5-w9a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A kernel module was loaded from memory inside a container\",\"enabled\":true,\"expression\":\"load_module.loaded_from_memory == true \\u0026\\u0026 container.id !=\\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_load_from_memory_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"56y-vsb-zqu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"3i1-zpd-ycj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"20v-gdb-0ha\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fyq-x5u-mv1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A new kernel module was added\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_module_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dpm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to enable writing to model-specific registers\",\"enabled\":true,\"expression\":\"exec.comm == \\\"modprobe\\\" \\u0026\\u0026 process.args =~ \\\"*msr*allow_writes*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kernel_msr_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-xv7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kernel modules were listed using the kmod command\",\"enabled\":true,\"expression\":\"exec.comm == \\\"kmod\\\" \\u0026\\u0026 exec.args in [~\\\"*list*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kmod_list\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows Known DLLs location registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\KnownDLLs*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"known_dll_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b7s\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Kubernetes DNS enumeration\",\"enabled\":true,\"expression\":\"dns.question.name == \\\"any.any.svc.cluster.local\\\" \\u0026\\u0026 dns.question.type == SRV \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"kubernetes_dns_enumeration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"j8a-wic-bvi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"enabled\":true,\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\", ~\\\"LD_PRELOAD=/dev/shm/*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ld_preload_unusual_library_path\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fbb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Library libpam.so hooked using eBPF\",\"enabled\":true,\"expression\":\"bpf.cmd == BPF_MAP_CREATE \\u0026\\u0026 process.args in [r\\\"libpam\\\\.so\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"libpam_ebpf_hook\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j1b\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Looney Tunables (CVE-2023-4911) exploit attempted\",\"enabled\":true,\"expression\":\"exec.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 exec.file.uid == 0 \\u0026\\u0026 exec.uid != 0 \\u0026\\u0026 exec.envs in [~\\\"*GLIBC_TUNABLES*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"looney_tunables_exploit\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6ql\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"memfd object created\",\"enabled\":true,\"expression\":\"exec.file.name =~ \\\"memfd*\\\" \\u0026\\u0026 exec.file.path == \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"memfd_create\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d1i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process memory was dumped using the minidump function from comsvcs.dll\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*MiniDump*\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*comsvcs*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"minidump_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"caz-yrk-14e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"enabled\":true,\"expression\":\"dns.question.name in [~\\\"*.minexmr.com\\\", \\\"minexmr.com\\\", ~\\\"*.nanopool.org\\\", \\\"nanopool.org\\\", ~\\\"*.supportxmr.com\\\", \\\"supportxmr.com\\\", ~\\\"*.c3pool.com\\\", \\\"c3pool.com\\\", ~\\\"*.p2pool.io\\\", \\\"p2pool.io\\\", ~\\\"*.ethermine.org\\\", \\\"ethermine.org\\\", ~\\\"*.f2pool.com\\\", \\\"f2pool.com\\\", ~\\\"*.poolin.me\\\", \\\"poolin.me\\\", ~\\\"*.rplant.xyz\\\", \\\"rplant.xyz\\\", ~\\\"*.miningocean.org\\\", \\\"miningocean.org\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mining_pool_lookup\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ab6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently modified file requested credentials from IMDS\",\"enabled\":true,\"expression\":\"imds.url =~ \\\"/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.parent.file.modification_time \\u003c 120s || process.file.modification_time \\u003c 30s)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"modified_file_requesting_imds_creds\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mxb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The host file system was mounted in a container\",\"enabled\":true,\"expression\":\"mount.source.path == \\\"/\\\" \\u0026\\u0026 mount.fs_type != \\\"overlay\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_host_fs\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-ibc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The mount utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"mount\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mr5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process hidden using mount\",\"enabled\":true,\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"mount_proc_hide\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"zfb-ixo-o4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious file was written by a network utility\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0 \\u0026\\u0026 process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n\\u0026\\u0026 (\\n (open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_file_download\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sqi-q1z-onu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Network utility executed with suspicious URI\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026 exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_unusual_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7y2-ihu-hm2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id == \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"a52-req-ghm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Exfiltration attempt via network utility\",\"enabled\":true,\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] \\u0026\\u0026\\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] \\u0026\\u0026\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_exfiltration\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w0z-64n-bss\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A network utility was executed in a container\",\"enabled\":true,\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) \\u0026\\u0026\\ncontainer.id != \\\"\\\" \\u0026\\u0026 exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"net_util_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-969\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible netcat shell detected\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"netcat\\\", \\\"nc\\\", \\\"ncat\\\"] \\u0026\\u0026 ((exec.args_flags in [\\\"l\\\"] \\u0026\\u0026 exec.args_flags in [\\\"p\\\"]) || (exec.args_flags in [\\\"n\\\"] \\u0026\\u0026 exec.args_flags in [\\\"v\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"netcat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-9rk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Local account groups were enumerated after container start up\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"network_sniffing_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xgw-28i-480\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container executed a new binary not found in the container image\",\"enabled\":true,\"expression\":\"container.id != \\\"\\\" \\u0026\\u0026 process.file.in_upper_layer \\u0026\\u0026 process.file.modification_time \\u003c 30s \\u0026\\u0026 exec.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"new_binary_execution_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qn0\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsenter used to breakout of container\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"nsenter\\\" \\u0026\\u0026 exec.args_options in [\\\"target=1\\\", \\\"t=1\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsenter_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"mqh-lgo-brj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v2b-cd3-clr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwc-6it-t7i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"e5h-onu-f7l\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-i9x\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"sif-d9p-wzg\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4mu-d2x-fyk\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"qt9-i99-q9p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"nsswitch may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"nsswitch_conf_mod_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-d4i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"NTDS file referenced in commandline\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"ntds_in_commandline\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-49j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A known kubernetes pentesting tool has been executed\",\"enabled\":true,\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] \\u0026\\u0026 (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"offensive_k8s_tool\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"4yt-ize-avz\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Omiagent spawns a privileged child process\",\"enabled\":true,\"expression\":\"exec.uid \\u003e= 0 \\u0026\\u0026 process.ancestors.file.name == \\\"omiagent\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"omigod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tp8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process opened a model-specific register (MSR) configuration file\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/sys/module/msr/parameters/allow_writes\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"open_msr_writes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jl7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"openssl used to establish backdoor\",\"enabled\":true,\"expression\":\"exec.comm == \\\"openssl\\\" \\u0026\\u0026 exec.args =~ \\\"*s_client*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"openssl_backdoor\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-0pf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to overwrite the container entrypoint\",\"enabled\":true,\"expression\":\"open.file.path == \\\"/proc/self/fd/1\\\" \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0 \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"overwrite_entrypoint\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o1o\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process made a connection to a port associated with P2PInfect malware\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.is_public == true \\u0026\\u0026 connect.addr.port \\u003e= 60100 \\u0026\\u0026 connect.addr.port \\u003c= 60150\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"p2pinfect_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"m7d-vlh-3yq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Package management was detected in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"package_management_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"34t-hic-8cn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pfu-dvh-e5w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"x7i-34j-1rv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w7o-w48-j34\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wri-hx3-4n3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"900-1sj-xhs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pxk-42u-fga\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PAM may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pam_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"l2e-aka-bw6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"enabled\":true,\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"passwd_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"460-gys-lqp\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A DNS lookup was done for a pastebin-like site\",\"enabled\":true,\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\", \\\"rentry.co\\\", \\\"transfer.sh\\\"] \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"paste_site\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7vi-w5r-h15\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"xiu-ghq-4zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9ym-18v-5zi\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"fpa-r6g-2em\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y7j\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9pu-mp3-xea\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ssp-47a-p20\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"q0u-s8m-8pd\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Critical system binaries may have been modified\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pci_11_5_critical_binaries_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-lel\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible perl bind shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"perl*\\\" \\u0026\\u0026 exec.args_flags in [\\\"e\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket*\\\", ~\\\"*bind*\\\", ~\\\"*sockaddr*\\\", ~\\\"*listen*\\\", ~\\\"*accept\\\", ~\\\"*stdin*\\\", ~\\\"*stdout\\\"]) || (exec.args in [~\\\"*/bin/sh*\\\", ~\\\"*/bin/bash*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"perl_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-7ez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible php shell detected\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"php\\\" \\u0026\\u0026 exec.args_flags in [\\\"r\\\"] \\u0026\\u0026 ((exec.args in [~\\\"*socket_bind*\\\", ~\\\"*socket_listen*\\\", ~\\\"*socket_accept*\\\", ~\\\"*socket_create*\\\", ~\\\"*socket_write*\\\", ~\\\"*socket_read*\\\"]) || (exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\"]))\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"php_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zse\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"PHP web application spawning shell\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name in [\\\"php.exe\\\",\\\"php-cgi.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"php_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-8j2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A web application spawned a shell or shell utility\",\"enabled\":true,\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\",\\\"/bin/busybox\\\"]) \\u0026\\u0026\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"potential_web_shell_parent\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-guo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was executed matching arguments for a UAC bypass technique common in powershell empire\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*-NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\\\", ~\\\"*-NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"powershell_empire_uac_bypass\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oy4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A tool used to dump process memory has been executed\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"procmon.exe\\\",\\\"procdump.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"procdump_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"pwu-7u7-iiq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_TRACEME \\u0026\\u0026 process.file.name != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_antidebug\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kpm-7kh-xz5\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process attempted to inject code into another process\",\"enabled\":true,\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ptrace_injection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wpz-bim-6rb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"enabled\":true,\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" \\u0026\\u0026 exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] \\u0026\\u0026 exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] \\u0026\\u0026 exec.uid != 0)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"pwnkit_privilege_escalation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"g7f-kfr-tdb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Python code was provided on the command line\",\"enabled\":true,\"expression\":\"exec.file.name == ~\\\"python*\\\" \\u0026\\u0026 exec.args_flags in [\\\"c\\\"] \\u0026\\u0026 exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", ~\\\"*-c*/bash*\\\", ~\\\"*-c*/bin/sh*\\\", ~\\\"*-c*pty.spawn*\\\"] \\u0026\\u0026 exec.args !~ \\\"*setuptools*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"python_cli_code\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-do7\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Possible ransomware note created under common user directories\",\"enabled\":true,\"expression\":\"open.flags \\u0026 O_CREAT \\u003e 0\\n\\u0026\\u0026 open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n\\u0026\\u0026 open.file.name in [r\\\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\\\"] \\u0026\\u0026 open.file.name not in [r\\\"\\\\.lock$\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ransomware_note\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-y27\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"RC scripts modified\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"rc_scripts_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The kubeconfig file was accessed\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"read_kubeconfig\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-npv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Detects CVE-2022-0543\",\"enabled\":true,\"expression\":\"(open.file.path =~ \\\"/usr/lib/x86_64-linux-gnu/*\\\" \\u0026\\u0026 open.file.name in [\\\"libc-2.29.so\\\", \\\"libc-2.30.so\\\", \\\"libc-2.31.so\\\", \\\"libc-2.32.so\\\", \\\"libc-2.33.so\\\", \\\"libc-2.34.so\\\", \\\"libc-2.35.so\\\", \\\"libc-2.36.so\\\", \\\"libc-2.37.so\\\"]) \\u0026\\u0026 process.ancestors.comm in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_sandbox_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wv3\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Redis module has been created\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.path =~ \\\"/tmp/**\\\" \\u0026\\u0026 open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) \\u0026\\u0026 process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"redis_save_module\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-jed\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows registry hives file location key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\hivelist*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_hives_file_path_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6oh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A Registry runkey has been modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6x2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Service registry runkey modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\CurrentVersion\\\\RunServices\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"registry_service_runkey_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bv2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process matches known relay attack tool\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"*PetitPotam*\\\", ~\\\"*RottenPotato*\\\", ~\\\"*HotPotato*\\\", ~\\\"*JuicyPotato*\\\", ~\\\"*just_dce_*\\\", ~\\\"*Juicy Potato*\\\", \\\"rot.exe\\\", \\\"Potato.exe\\\", \\\"SpoolSample.exe\\\", \\\"Responder.exe\\\", ~\\\"*smbrelayx*\\\", ~\\\"*smbrelayx*\\\", ~\\\"*ntlmrelayx*\\\", ~\\\"*LocalPotato*\\\"] || exec.cmdline in [~\\\"*Invoke-Tater*\\\", ~\\\"*smbrelay*\\\", ~\\\"*ntlmrelay*\\\", ~\\\"*cme smb*\\\", ~\\\"*ntlm:NTLMhash*\\\", ~\\\"*Invoke-PetitPotam*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"relay_attack_tool_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eho\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Container escape attempted by overwriting release_agent\",\"enabled\":true,\"expression\":\"open.file.name == \\\"release_agent\\\" \\u0026\\u0026 open.file.path in [\\\"/tmp/**\\\", \\\"/home/**\\\", \\\"/root/**\\\", \\\"/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"release_agent_escape\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-b5z\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match rubeus credential theft tool\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*asreproast*\\\", ~\\\"*/service:krbtgt*\\\", ~\\\"*dump /luid:0x*\\\", ~\\\"*kerberoast*\\\", ~\\\"*createonly /program*\\\", ~\\\"*ptt /ticket*\\\", ~\\\"*impersonateuser*\\\", ~\\\"*renew /ticket*\\\", ~\\\"*asktgt /user*\\\", ~\\\"*harvest /interval*\\\", ~\\\"*s4u /user*\\\", ~\\\"*hash /password*\\\", ~\\\"*golden /aes256*\\\", ~\\\"*silver /user*\\\", \\\"*rubeus*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"rubeus_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-h19\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The container breakout CVE-2024-21626 was successful\",\"enabled\":true,\"expression\":\"chdir.syscall.path =~ \\\"/proc/self/fd/*\\\" \\u0026\\u0026 chdir.file.path == \\\"/sys/fs/cgroup\\\" \\u0026\\u0026 process.file.name =~ \\\"runc.*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_leaky_fd\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"tlu-qlm-1ow\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The runc binary was modified in a non-standard way\",\"enabled\":true,\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n\\u0026\\u0026 open.flags \\u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \\u003e 0\\n\\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"runc_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-x51\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Safeboot registry modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"safeboot_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A scheduled task was created\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*at.exe\\\",~\\\"*schtasks*\\\"] \\u0026\\u0026 exec.cmdline =~ \\\"*create*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"scheduled_task_creation\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wgq-lg4-tas\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SELinux enforcement status was disabled\",\"enabled\":true,\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] \\u0026\\u0026 process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"selinux_disable_enforcement\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-j45\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process is tracing privileged processes or sshd for possible credential dumping\",\"enabled\":true,\"expression\":\"(ptrace.request == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request == PTRACE_PEEKUSR) \\u0026\\u0026 ptrace.tracee.euid == 0 \\u0026\\u0026 process.comm not in [\\\"dlv\\\", \\\"dlv-linux-amd64\\\", \\\"strace\\\", \\\"gdb\\\", \\\"lldb-server\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sensitive_tracing\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-uv8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"systemctl used to stop a service\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"systemctl\\\" \\u0026\\u0026 exec.args in [~\\\"*stop*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"service_stop\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qf8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"sharpup tool used for local privilege escalation\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sharpup.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*HijackablePaths*\\\", ~\\\"*UnquotedServicePath*\\\", ~\\\"*ProcessDLLHijack*\\\", ~\\\"*ModifiableServiceBinaries*\\\", ~\\\"*ModifiableScheduledTask*\\\", ~\\\"*DomainGPPPassword*\\\", ~\\\"*CachedGPPPassword*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sharpup_tool_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dfr-by9-sx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"unlink.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 unlink.file.path in [~\\\"/root/**\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_deleted\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"dmf-a2c-odj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"enabled\":true,\"expression\":\"exec.comm == \\\"ln\\\" \\u0026\\u0026 exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_symlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"v5x-8l4-d6a\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell History was Deleted\",\"enabled\":true,\"expression\":\"open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026 open.file.name in [\\\".bash_history\\\", \\\".zsh_history\\\", \\\".fish_history\\\", \\\"fish_history\\\", \\\".dash_history\\\", \\\".sh_history\\\"] \\u0026\\u0026 open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] \\u0026\\u0026 process.file.name == \\\"truncate\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_history_truncated\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-dar\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell made an outbound network connection\",\"enabled\":true,\"expression\":\"connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 process.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"] \\u0026\\u0026 connect.addr.is_public == true\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_net_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fn2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Shell profile was modified\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] \\u0026\\u0026 open.flags \\u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"shell_profile_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hbr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"process arguments match sliver c2 implant\",\"enabled\":true,\"expression\":\"exec.cmdline =~ \\\"*NoExit *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*Command *\\\" \\u0026\\u0026 exec.cmdline =~ \\\"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"sliver_c2_implant_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oi1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Process arguments indicating possible socat shell detected\",\"enabled\":true,\"expression\":\"((exec.file.name == \\\"socat\\\") || (exec.comm == \\\"socat\\\")) \\u0026\\u0026 exec.args in [~\\\"*/bin/bash*\\\", ~\\\"*/bin/sh*\\\", ~\\\"*exec*\\\", ~\\\"*pty*\\\", ~\\\"*setsid*\\\", ~\\\"*stderr*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"socat_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"htc-275-0wt\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7q3-6aa-pix\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"91f-pyq-54k\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n link.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (link.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"rpc-ji0-zfu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qwu\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) \\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"t5u-qdx-650\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n rename.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (rename.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y0y-3gl-645\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n unlink.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (unlink.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"hba-kfe-1xr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH modified keys may have been modified\",\"enabled\":true,\"expression\":\"(\\n utimes.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] \\u0026\\u0026 (utimes.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_authorized_keys_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-o13\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The configuration directory for an ssh worm\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] \\u0026\\u0026 open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_it_tool_config_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-41f\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSH initiated a connection on a nonstandard port\",\"enabled\":true,\"expression\":\"connect.addr.port in [80, 8080, 88, 443, 8443, 4444] \\u0026\\u0026 process.file.name == \\\"ssh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_nonstandard_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-g5v\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Kernel Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A process connected to an SSH server\",\"enabled\":true,\"expression\":\"connect.addr.port == 22 \\u0026\\u0026 connect.addr.family \\u0026 (AF_INET|AF_INET6) \\u003e 0 \\u0026\\u0026 connect.addr.ip not in [127.0.0.0/8]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssh_outbound_connection\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"y5i-yxn-27t\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.mode != chmod.file.destination.mode\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"kyr-sg6-us9\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"w6f-wte-i63\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n \\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"191-ty1-ede\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qt6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\\n\\u0026\\u0026 container.created_at \\u003e 90s\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_open_v2\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"o5t-b08-86p\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"9y1-cbb-p03\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"ayv-hqe-lx8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"SSL certificates may have been tampered with\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n\\u0026\\u0026 process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n\\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n\\u0026\\u0026 process.file.name !~ \\\"runc*\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"ssl_certificate_tampering_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-crv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-l8e\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-myb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-mmo\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(open.flags \\u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n(open.file.path == \\\"/etc/sudoers\\\")) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-550\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-bxs\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-s07\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Sudoers policy file may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"sudoers_policy_modified_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-5wh\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"a SUID file was executed\",\"enabled\":true,\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) \\u0026\\u0026 process.file.mode \\u0026 S_ISUID \\u003e 0 \\u0026\\u0026 process.file.uid == 0 \\u0026\\u0026 process.uid != 0 \\u0026\\u0026 process.file.path != \\\"/usr/bin/sudo\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suid_file_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-4y4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A suspicious bitsadmin command has been executed\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"bitsadmin.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*addfile*\\\", ~\\\"*create*\\\", ~\\\"*resume*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_bitsadmin_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"afj-5sv-2wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A container management utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_container_client\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-eck\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Dll written to a suspicious directory\",\"enabled\":true,\"expression\":\"create.file.name =~ \\\"*.dll\\\" \\u0026\\u0026 create.file.device_path not in [~\\\"\\\\Device\\\\*\\\\Windows\\\\System32\\\\**\\\", ~\\\"\\\\Device\\\\*\\\\ProgramData\\\\docker\\\\**\\\"] \\u0026\\u0026 process.file.name != \\\"dockerd.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_dll_write\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-2k6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Suspicious usage of ntdsutil\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"ntdsutil.exe\\\" \\u0026\\u0026 exec.cmdline in [~\\\"*ntds*\\\", ~\\\"*create*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"suspicious_ntdsutil_usage\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zo8\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Recently written or modified suid file has been executed\",\"enabled\":true,\"expression\":\"((process.file.mode \\u0026 S_ISUID \\u003e 0) \\u0026\\u0026 process.file.modification_time \\u003c 30s) \\u0026\\u0026 exec.file.name != \\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\", ~\\\"/opt/datadog-installer/**\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"suspicious_suid_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"48s-46n-g4w\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 chmod.file.destination.mode != chmod.file.mode\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chmod\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"wwy-h4d-pwm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) \\u0026\\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_chown\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"64n-p6m-uq1\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_link\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"7zw-qbm-y6d\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n open.flags \\u0026 (O_CREAT|O_RDWR|O_WRONLY) \\u003e 0 \\u0026\\u0026\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_open\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"prk-6q1-g0m\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_rename\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"jlt-y4v-dax\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_unlink\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"yjj-o5q-x00\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A service may have been modified without authorization\",\"enabled\":true,\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n \\u0026\\u0026 process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"systemd_modification_utimes\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-18q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tar archive created\",\"enabled\":true,\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" \\u0026\\u0026 exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tar_execution\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-925\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A shell with a TTY was executed in a container\",\"enabled\":true,\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] \\u0026\\u0026 process.tty_name != \\\"\\\" \\u0026\\u0026 process.container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tty_shell_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-hlr\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Tunneling or port forwarding tool used\",\"enabled\":true,\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") \\u0026\\u0026 process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] \\u0026\\u0026 process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] \\u0026\\u0026 process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" \\u0026\\u0026 process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" \\u0026\\u0026 process.args in [r\\\"(TCP4-LISTEN:|SOCKS)\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] \\u0026\\u0026 process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"tunnel_traffic\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wok\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Device rule created\",\"enabled\":true,\"expression\":\"open.file.path in [~\\\"/etc/udev/rules.d/*\\\", ~\\\"/lib/udev/rules.d/*\\\", ~\\\"/usr/lib/udev/rules.d/*\\\", ~\\\"/usr/local/lib/udev/rules.d/*\\\", ~\\\"/run/udev/rules.d/*\\\"] \\u0026\\u0026 open.flags \\u0026 O_CREAT \\u003e 0\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"udev_modification\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-oil\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"The unshare utility was executed in a container\",\"enabled\":true,\"expression\":\"exec.comm == \\\"unshare\\\" \\u0026\\u0026 container.id != \\\"\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"unshare_in_container\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"07y-k18-cih\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was created via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] \\u0026\\u0026 exec.args_flags not in [\\\"D\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_created_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-qem\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A user was deleted via an interactive session\",\"enabled\":true,\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] \\u0026\\u0026 exec.tty_name !=\\\"\\\" \\u0026\\u0026 process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"user_deleted_tty\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-a65\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Network Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Web application requested IMDSv1 credentials\",\"enabled\":true,\"expression\":\"imds.aws.is_imds_v2 == false \\u0026\\u0026 imds.url =~ \\\"*/*/meta-data/iam/security-credentials/*\\\" \\u0026\\u0026 (process.ancestors.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.ancestors.file.name =~ \\\"php*\\\" || process.ancestors.file.name == \\\"java\\\")\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webapp_imds_V1_request\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-nip\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Browser WebDriver spawned shell\",\"enabled\":true,\"expression\":\"process.parent.file.name in [~\\\"chromedriver*\\\", \\\"geckodriver\\\"] \\u0026\\u0026 exec.file.name not in [\\\"chrome\\\", \\\"google-chrome\\\", \\\"chromium\\\", \\\"firefox\\\"]\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"webdriver_spawned_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-gqa\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows boot registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\IniFileMapping\\\\SYSTEM.ini\\\\boot*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_boot_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tat\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows RPC COM debugging registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_com_rpc_debugging_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-76q\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows cryptographic blocking policy modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllRemoveSignedDataMsg*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptographic_blocking_policy_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-fsq\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"A cryptominer was potentially executed\",\"enabled\":true,\"expression\":\"exec.cmdline in [~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_cryptominer_process\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-6lj\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"windows explorer file has been modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\explorer.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_explorer_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wnn\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows firewall configuration registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_firewall_configuration_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-tlf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"the windows hosts file was modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\windows\\\\system32\\\\Drivers\\\\etc\\\\hosts\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_hosts_file_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-zp4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"microsoft security essentials executable modified\",\"enabled\":true,\"expression\":\"write.file.device_path in [~\\\"\\\\Device\\\\*\\\\Program Files\\\\Microsoft Security Client\\\\msseces.exe\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_security_essentials_executable_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-n3u\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows shell folders registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders*\\\", ~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_shell_folders_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-m9i\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows environment variable registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_system_enviroment_variable_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-wqf\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows update registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsUpdate*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"windows_update_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vez\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"File Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Windows winlogon registry key modified\",\"enabled\":true,\"expression\":\"set.registry.key_path in [~\\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\\\"]\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"winlogon_registry_key_modified\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}},{\"id\":\"def-000-vjv\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1737661272000,\"creator\":{\"name\":\"Datadog\",\"handle\":\"\"},\"defaultRule\":true,\"description\":\"Command executed via WMI\",\"enabled\":true,\"expression\":\"exec.file.name in [~\\\"powershell*\\\",\\\"cmd.exe\\\"] \\u0026\\u0026 process.parent.file.name == \\\"WmiPrvSE.exe\\\"\",\"filters\":[\"os == \\\"windows\\\"\"],\"name\":\"wmi_spawning_shell\",\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", "headers": { "Content-Type": [ "application/json" diff --git a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze index bdb6d07aa2b..a1b59dc82f5 100644 --- a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:49.344Z \ No newline at end of file +2025-04-01T14:30:58.973Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json index 5d6385c36e9..6bf5fcd4b21 100644 --- a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json @@ -1,34 +1,4 @@ [ - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\"},\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "POST", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"sk6-sni-wfh\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895069454,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895069454,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "7621ec8a-3279-e91f-e810-99cc3743d9c9" - }, { "httpRequest": { "headers": {}, @@ -38,7 +8,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":[{\"id\":\"sk6-sni-wfh\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1713895069\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713895069454,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713895069454,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zfc-g0g-a8x\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_LPRxi\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pae-rpt-yni\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_CpDMZ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jwu-xbf-ic5\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_HfYXr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uew-oxg-b86\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_Tjzvu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wyn-ib7-f7o\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_fWORB\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mwk-g74-lbd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_XcxFr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rqa-io7-fwn\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bKkuv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n1x-qsa-p53\",\"attributes\":{\"version\":1,\"name\":\"windows_cryptominer_process\",\"description\":\"A cryptominer was potentially executed\",\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1712079129574,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rws-z9b-qjv\",\"attributes\":{\"version\":1,\"name\":\"ransomware_note\",\"description\":\"Possible ransomware note created under common user directories\",\"expression\":\"open.flags & O_CREAT > 0\\n&& open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n&& open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] && open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644650371,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pqp-0vs-cmu\",\"attributes\":{\"version\":1,\"name\":\"ssh_it_tool_config_write\",\"description\":\"The configuration directory for an ssh worm\",\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644642969,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tkp-w9m-vzp\",\"attributes\":{\"version\":1,\"name\":\"safeboot_modification\",\"description\":\"Safeboot registry modified\",\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644635093,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8be-hej-nf2\",\"attributes\":{\"version\":3,\"name\":\"ps_discovery\",\"description\":\"Processes were listed using the ps command\",\"expression\":\"exec.comm == \\\"ps\\\" && exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] && process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] && process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644627589,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wn9-9vf-8be\",\"attributes\":{\"version\":1,\"name\":\"mount_proc_hide\",\"description\":\"Process hidden using mount\",\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644623109,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"upj-muh-hms\",\"attributes\":{\"version\":2,\"name\":\"chatroom_request\",\"description\":\"A DNS request was made for a chatroom domain\",\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1711644612626,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gnz-81e-6lg\",\"attributes\":{\"version\":1,\"name\":\"cryptominer_envs\",\"description\":\"Process environment variables match cryptocurrency miner\",\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644602654,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7da-gwx-c3l\",\"attributes\":{\"version\":2,\"name\":\"auditctl_usage\",\"description\":\"The auditctl command was used to modify auditd\",\"expression\":\"exec.file.name == \\\"auditctl\\\" && exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644592613,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8jg-xym-vqz\",\"attributes\":{\"version\":1,\"name\":\"jupyter_shell_execution\",\"description\":\"A Jupyter notebook executed a shell\",\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) && process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644590883,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9ih-87r-xrp\",\"attributes\":{\"version\":1,\"name\":\"registry_runkey_modified\",\"description\":\"A Registry runkey has been modified\",\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644584412,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"msb-ai6-ua5\",\"attributes\":{\"version\":2,\"name\":\"tunnel_traffic\",\"description\":\"Tunneling or port forwarding tool used\",\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") && process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] && process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] && process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" && process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" && process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] && process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1711644574925,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6fr-csu-axm\",\"attributes\":{\"version\":7,\"name\":\"k8s_pod_service_account_token_accessed\",\"description\":\"The Kubernetes pod service account token was accessed\",\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] && process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1711644571787,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"30s-pi8-9b4\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a9q-iyx-gfu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hlq-w7y-5tg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"lj4-ina-ue2\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"qlz-mcu-d2k\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bmx-go6-0lz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bk0-mpb-ii8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0xw-wbm-pel\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"nvt-eoh-yiz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dc5-hba-20b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"asb-kqf-vex\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yzx-ia6-bdh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uo-x9p-tmb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"kan-5ki-wau\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ggb-h3r-t7d\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"y4n-8gx-m3n\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xsf-ugy-cfq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"btr-btz-zif\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"jnw-ija-az5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"6v0-shq-8gm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yrv-svq-9nz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9s9-wui-t8c\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"krm-ssv-tn5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"uiu-6vz-z2h\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"eej-oup-jwu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ltv-fla-wb0\",\"attributes\":{\"version\":1,\"name\":\"ntds_in_commandline\",\"description\":\"NTDS file referenced in commandline\",\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"uuf-w3c-u9q\",\"attributes\":{\"version\":1,\"name\":\"scheduled_task_creation\",\"description\":\"A scheduled task was created\",\"expression\":\"exec.file.name in [\\\"at.exe\\\",\\\"schtasks.exe\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nyc-gfz-yr5\",\"attributes\":{\"version\":5,\"name\":\"nsswitch_conf_mod_chown\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1704404477785,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bm8-j5w-xfv\",\"attributes\":{\"version\":3,\"name\":\"suspicious_suid_execution\",\"description\":\"Recently written or modified suid file has been executed\",\"expression\":\"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \\\"\\\" && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1704404469455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"phy-tco-k7w\",\"attributes\":{\"version\":6,\"name\":\"database_shell_execution\",\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n!(process.parent.file.name == \\\"initdb\\\" &&\\nexec.args == \\\"-c locale -a\\\") &&\\n!(process.parent.file.name == \\\"postgres\\\" &&\\nexec.args == ~\\\"*pg_wal*\\\")\",\"category\":\"Process Activity\",\"creationDate\":1617722069155,\"updateDate\":1704404453620,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7x1-glr-ofl\",\"attributes\":{\"version\":2,\"name\":\"credential_modified_open_v2\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1704404453617,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jjg-cwd-bi8\",\"attributes\":{\"version\":2,\"name\":\"pci_11_5_critical_binaries_open_v2\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1704404449335,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqb-wq9-xzq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_jcvqK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"sqx-azd-ia2\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ivMAv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"83g-jde-hyc\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hyg-8q3-gme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bn3-we8-cxn\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"goh-6ij-cpa\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"he7-cho-9th\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"pj5-9wo-0ny\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dmd-ens-omw\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"8ft-wcs-sok\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-fm3-ilm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cxv-wyz-udh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"7ro-vjj-hqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uf-mai-edh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"e2t-sos-sgs\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"joz-phu-bj6\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9gx-e5x-wxl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cmg-7ok-iws\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"fc2-mmz-xme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cw4-gei-lqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"djb-5it-syy\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"2be-cfa-xhr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5dp-tcj-tbm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a0m-zaf-0a8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"erx-pyz-xft\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ydh-fsm-slz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5pp-60h-keq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xyn-fkc-osi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"llg-x6t-jjq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"q1s-ejx-xq3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"zw4-cad-dro\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rik-8jl-7nr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"vih-vom-ryl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"mhl-gkn-bun\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_unlink\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699614659146,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"j3f-cie-47b\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_from_memory\",\"description\":\"A kernel module was loaded from memory\",\"expression\":\"load_module.loaded_from_memory == true\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718630,\"updateDate\":1699614659145,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"my1-vln-8fq\",\"attributes\":{\"version\":3,\"name\":\"cryptominer_args\",\"description\":\"A process launched with arguments associated with cryptominers\",\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614656177,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"us6-p6v-hbj\",\"attributes\":{\"version\":2,\"name\":\"tar_execution\",\"description\":\"Tar archive created\",\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" && exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614655670,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vky-y2i-mvh\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution_parent\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.parent.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699614653571,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohe-vlf-t2h\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chown\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1699614645120,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"abo-w0g-emz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yyr-62t-pwg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"s87-olo-akk\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hqc-ilw-6pg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5ik-iyy-ry4\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0mj-ptm-mcq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"awr-mtg-lce\",\"attributes\":{\"version\":1,\"name\":\"offensive_k8s_tool\",\"description\":\"A known kubernetes pentesting tool has been executed\",\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] && (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699605598275,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qng-psi-j15\",\"attributes\":{\"version\":5,\"name\":\"runc_modification\",\"description\":\"The runc binary was modified in a non-standard way\",\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":1627392837049,\"updateDate\":1699605592780,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vlh-msh-elx\",\"attributes\":{\"version\":1,\"name\":\"redis_save_module\",\"description\":\"Redis module has been created\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) && process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1699605590262,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"i0s-yb1-hnl\",\"attributes\":{\"version\":4,\"name\":\"net_util_exfiltration\",\"description\":\"Exfiltration attempt via network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1699605585597,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki7-koc-icf\",\"attributes\":{\"version\":2,\"name\":\"apparmor_modified_tty\",\"description\":\"An AppArmor profile was modified in an interactive session\",\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] && exec.tty_name !=\\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836162,\"updateDate\":1699605581360,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kzh-5hn-edg\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chmod\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605577106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rm1-b8h-cec\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_link\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605575176,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zk5-jeo-579\",\"attributes\":{\"version\":2,\"name\":\"rc_scripts_modified\",\"description\":\"RC scripts modified\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1699605566454,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"je9-er4-njy\",\"attributes\":{\"version\":2,\"name\":\"selinux_disable_enforcement\",\"description\":\"SELinux enforcement status was disabled\",\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] && process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1635332067172,\"updateDate\":1699605560892,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yly-big-wfq\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chown\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605558253,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6ef-efv-07c\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_utimes\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605550430,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"1vg-wvn-jeo\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_rename\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1699605548906,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"332-1wp-nhi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pn7-9wx-enb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zag-uxd-4rh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gj1-f5n-atq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xoa-393-gtb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wib-odd-eos\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zi0-hgn-9ec\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"oce-aqj-x6b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cdt-p7e-q1b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wgo-mps-djd\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"odr-ipk-wvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nb1-dkb-bwz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t2g-qma-f5b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pwg-71z-aob\",\"attributes\":{\"version\":1,\"name\":\"ssl_certificate_tampering_open_v2\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\\n&& container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748504240,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zuq-yfd-hun\",\"attributes\":{\"version\":1,\"name\":\"deploy_priv_container\",\"description\":\"A privileged container was created\",\"expression\":\"exec.file.name != \\\"\\\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748488881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ayp-cd9-j3f\",\"attributes\":{\"version\":1,\"name\":\"network_sniffing_tool\",\"description\":\"Local account groups were enumerated after container start up\",\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748485348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"x3k-0en-bhm\",\"attributes\":{\"version\":1,\"name\":\"ssh_authorized_keys_open_v2\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748480895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kmx-s3s-htb\",\"attributes\":{\"version\":1,\"name\":\"nsswitch_conf_mod_open_v2\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748480617,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdh-b1k-i0e\",\"attributes\":{\"version\":1,\"name\":\"suid_file_execution\",\"description\":\"a SUID file was executed\",\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \\\"/usr/bin/sudo\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748479473,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqu-01q-fmr\",\"attributes\":{\"version\":1,\"name\":\"net_util_in_container_v2\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] && container.created_at > 180s\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748479210,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"igw-lex-dzw\",\"attributes\":{\"version\":1,\"name\":\"hidden_file_executed\",\"description\":\"A hidden file was executed in a suspicious folder\",\"expression\":\"exec.file.name =~ \\\".*\\\" && exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748474266,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ixh-tff-n0g\",\"attributes\":{\"version\":1,\"name\":\"shell_profile_modification\",\"description\":\"Shell profile was modified\",\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1688748474208,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"84k-f4f-yx8\",\"attributes\":{\"version\":4,\"name\":\"python_cli_code\",\"description\":\"Python code was provided on the command line\",\"expression\":\"exec.file.name == ~\\\"python*\\\" && exec.args_flags in [\\\"c\\\"] && exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", \\\"*-c*/bash*\\\", \\\"*-c*/bin/sh*\\\", \\\"*-c*pty.spawn*\\\"] && exec.args !~ \\\"*setuptools*\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1688748470573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-ylu-udm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tfj-qbi-njb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"otj-idk-ece\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"l88-cpw-jvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kcw-scc-5ve\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lg7-iv9-wts\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_utimes\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684185006444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lxo-jgz-gtv\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chown\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684185001787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vu4-g2z-6yx\",\"attributes\":{\"version\":1,\"name\":\"user_deleted_tty\",\"description\":\"A user was deleted via an interactive session\",\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684185000708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"dgj-0mh-asf\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_unlink\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184996909,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6t0-pxf-oag\",\"attributes\":{\"version\":1,\"name\":\"curl_docker_socket\",\"description\":\"The Docker socket was referenced in a cURL command\",\"expression\":\"exec.file.name == \\\"curl\\\" && exec.args_flags in [\\\"unix-socket\\\"] && exec.args in [\\\"*docker.sock*\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184996292,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"07x-ilo-vbw\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_rename\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184995498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vbb-8oz-uj8\",\"attributes\":{\"version\":1,\"name\":\"read_release_info\",\"description\":\"OS information was read from the /etc/lsb-release file\",\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" && open.flags & O_RDONLY > 0\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184994303,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hxb-abz-bnu\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chmod\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184993817,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wxp-zv6-mdg\",\"attributes\":{\"version\":1,\"name\":\"kmod_list\",\"description\":\"Kernel modules were listed using the kmod command\",\"expression\":\"exec.comm == \\\"kmod\\\" && exec.args in [~\\\"*list*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184992493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0on-nzp-luo\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_open\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"\\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n(open.file.path == \\\"/etc/sudoers\\\")) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184992340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rsp-g6i-jdi\",\"attributes\":{\"version\":1,\"name\":\"service_stop\",\"description\":\"systemctl used to stop a service\",\"expression\":\"exec.file.name == \\\"systemctl\\\" && exec.args in [~\\\"*stop*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184991238,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"d5p-vk6-w0f\",\"attributes\":{\"version\":1,\"name\":\"exec_lsmod\",\"description\":\"Kernel modules were listed using the lsmod command\",\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184990877,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ich-3ke-cor\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_link\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184985910,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zdy-kcq-q0v\",\"attributes\":{\"version\":1,\"name\":\"read_kubeconfig\",\"description\":\"The kubeconfig file was accessed\",\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1684184984191,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yij-lei-ykx\",\"attributes\":{\"version\":1,\"name\":\"exec_whoami\",\"description\":\"The whoami command was executed\",\"expression\":\"exec.comm == \\\"whoami\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1684184982050,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fjh-jmi-fbi\",\"attributes\":{\"version\":1,\"name\":\"auditd_rule_file_modified\",\"description\":\"The auditd rules file was modified without using auditctl\",\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490457848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"div-3ym-esz\",\"attributes\":{\"version\":1,\"name\":\"auditd_config_modified\",\"description\":\"The auditd configuration file was modified without using auditctl\",\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490453830,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"swo-jyw-vtb\",\"attributes\":{\"version\":5,\"name\":\"aws_eks_service_account_token_accessed\",\"description\":\"The AWS EKS service account token was accessed\",\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490453789,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2p0-3i2-b4y\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_open\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490451189,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ybu-yya-acz\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chmod\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.mode != chmod.file.destination.mode\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490448291,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kek-yib-peb\",\"attributes\":{\"version\":2,\"name\":\"shell_history_deleted\",\"description\":\"Shell History was Deleted\",\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") && process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490445819,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"w07-amm-bxr\",\"attributes\":{\"version\":10,\"name\":\"ssl_certificate_tampering_utimes\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490443753,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pti-xku-k7y\",\"attributes\":{\"version\":3,\"name\":\"shell_history_truncated\",\"description\":\"Shell History was Deleted\",\"expression\":\"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" && open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] && process.file.name == \\\"truncate\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490441112,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jin-icc-lpi\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_unlink\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490440557,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aby-cmp-yrd\",\"attributes\":{\"version\":2,\"name\":\"dynamic_linker_config_write\",\"description\":\"A process wrote to a dynamic linker config file\",\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", \\\"/etc/ld.so.conf.d/*.conf\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1681490436787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7nq-ugi-gu1\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_link\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.name !~ \\\"runc*\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490436302,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qzs-yvl-f4t\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_rename\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"creationDate\":1606142980369,\"updateDate\":1681490435881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9hn-ukg-ek1\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ulc-8ym-1ch\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zja-jqt-rpm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"2ov-h11-m4w\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"shb-0xv-eib\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"psp-nbn-dtg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mcq-6by-989\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tci-5f7-cis\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mey-lit-gzs\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4ve-rws-nw0\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9aa-y0q-rrc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tvd-3p1-cai\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"asy-mod-zmt\",\"attributes\":{\"version\":5,\"name\":\"user_created_tty\",\"description\":\"A user was created via an interactive session\",\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && exec.args_flags not in [\\\"D\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1627392836979,\"updateDate\":1677793421528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rek-wb4-s7y\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_rename\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793418528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"4fh-bb7-747\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chmod\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793414173,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yiy-mba-pny\",\"attributes\":{\"version\":5,\"name\":\"common_net_intrusion_util\",\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] && exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1617722067554,\"updateDate\":1677793413474,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3tj-btx-kvo\",\"attributes\":{\"version\":5,\"name\":\"package_management_in_container\",\"description\":\"Package management was detected in a container\",\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722067648,\"updateDate\":1677793413044,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"oio-i4o-xzw\",\"attributes\":{\"version\":1,\"name\":\"tty_shell_in_container\",\"description\":\"A shell with a TTY was executed in a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && process.tty_name != \\\"\\\" && process.container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1677793412844,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qdc-oqx-zsx\",\"attributes\":{\"version\":8,\"name\":\"systemd_modification_chown\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793412379,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pwh-omk-qrr\",\"attributes\":{\"version\":3,\"name\":\"new_binary_execution_in_container\",\"description\":\"A container executed a new binary not found in the container image\",\"expression\":\"container.id != \\\"\\\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1652129906455,\"updateDate\":1677793412378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bgs-kbk-xkh\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_link\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793412375,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tmh-now-e61\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_open\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142933669,\"updateDate\":1677793410974,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kxs-kt6-5gt\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_unlink\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793406609,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohp-ags-xpk\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_utimes\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1677793405837,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"t8w-eul-chf\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_utimes\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1677793405627,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ay7-jkz-rda\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_unlink\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793404797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fpw-paa-smb\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_utimes\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793402985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"c4t-pxu-ixk\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_unlink\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793402725,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ec9-vff-7ni\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_link\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793401708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"r5z-tke-sjm\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_link\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793401181,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"eoy-4fe-q7q\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chown\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793399502,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cd0-w8q-vl4\",\"attributes\":{\"version\":11,\"name\":\"kernel_module_chown\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793397722,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bw8-80r-qih\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_BAiZP\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mpb-1rj-dv6\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_rename\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1677793394010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ac4-asc-qi4\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_rename\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1677793391290,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gtx-vpl-ror\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_lszUX\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xye-pfo-y0r\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_open\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1674486423764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cmu-g58-cau\",\"attributes\":{\"version\":6,\"name\":\"cron_at_job_creation_rename\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486423628,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sna-hgh-vo4\",\"attributes\":{\"version\":3,\"name\":\"dynamic_linker_config_unlink\",\"description\":\"A process unlinked a dynamic linker config file\",\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1674486422738,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"efc-svz-7hu\",\"attributes\":{\"version\":1,\"name\":\"potential_web_shell_parent\",\"description\":\"A web application spawned a shell or shell utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1674486413493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tna-ty5-e7c\",\"attributes\":{\"version\":1,\"name\":\"mount_host_fs\",\"description\":\"The host file system was mounted in a container\",\"expression\":\"mount.source.path == \\\"/\\\" && mount.fs_type != \\\"overlay\\\" && container.id != \\\"\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1674486412444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygi-ozn-m5d\",\"attributes\":{\"version\":1,\"name\":\"memfd_create\",\"description\":\"memfd object created\",\"expression\":\"exec.file.name =~ \\\"memfd*\\\" && exec.file.path == \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1674486411993,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nlp-lzc-rcf\",\"attributes\":{\"version\":5,\"name\":\"systemd_modification_open\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"updateDate\":1674486408888,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"avt-p2e-fyc\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_chmod\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1598516746168,\"updateDate\":1674486407158,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ipa-v3l-kt6\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chmod\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.file.destination.mode != chmod.file.mode\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406983,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3xl-qds-f0e\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chown\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406776,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0gu-pqy-o1a\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_link\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406604,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygn-d8o-ncr\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_utimes\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486406387,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"psd-3el-h33\",\"attributes\":{\"version\":9,\"name\":\"credential_modified_utimes\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":1598516746271,\"updateDate\":1674486406248,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"atu-tci-bjn\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_unlink\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486405229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-dqu-jly\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_open\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"creationDate\":1606142961130,\"updateDate\":1674486404864,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kuu-k1s-gqz\",\"attributes\":{\"version\":6,\"name\":\"systemd_modification_chmod\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142929241,\"updateDate\":1674486404846,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hnh-eio-mow\",\"attributes\":{\"version\":2,\"name\":\"ptrace_antidebug\",\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"expression\":\"ptrace.request == PTRACE_TRACEME && process.file.name != \\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718435,\"updateDate\":1670604150759,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"f5y-pdn-pnj\",\"attributes\":{\"version\":4,\"name\":\"kernel_module_load\",\"description\":\"A kernel module was loaded\",\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] && process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718458,\"updateDate\":1670604150549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ddh-ld5-2rj\",\"attributes\":{\"version\":1,\"name\":\"aws_imds\",\"description\":\"An AWS IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"enj-kdc-1tt\",\"attributes\":{\"version\":1,\"name\":\"net_file_download\",\"description\":\"A suspicious file was written by a network utility\",\"expression\":\"open.flags & O_CREAT > 0 && process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1670604150067,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wew-y1h-1um\",\"attributes\":{\"version\":1,\"name\":\"compile_after_delivery\",\"description\":\"A compiler wrote a suspicious file in a container\",\"expression\":\"open.flags & O_CREAT > 0\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n&& (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n&& process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n&& container.id != \\\"\\\"\",\"category\":\"File Activity\",\"creationDate\":0,\"updateDate\":1670604150062,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ct9-og0-h7h\",\"attributes\":{\"version\":1,\"name\":\"net_unusual_request\",\"description\":\"Network utility executed with suspicious URI\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150059,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9dx-svj-apj\",\"attributes\":{\"version\":1,\"name\":\"azure_imds\",\"description\":\"An Azure IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150058,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sah-xju-jcq\",\"attributes\":{\"version\":1,\"name\":\"gcp_imds\",\"description\":\"An GCP IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1670604150002,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"mmk-0g6-4qu\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VxNSK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uze-gr4-sfh\",\"attributes\":{\"version\":1,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgd-dmc-zta\",\"attributes\":{\"version\":1,\"name\":\"interactive_shell_in_container\",\"description\":\"An interactive shell was started inside of a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && exec.args_flags in [\\\"i\\\"] && container.id !=\\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1666888169595,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3lt-gov-2yu\",\"attributes\":{\"version\":4,\"name\":\"net_util\",\"description\":\"A network utility was executed\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id == \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":1642158534952,\"updateDate\":1666888163498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jx4-pkv-247\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_attempt\",\"description\":\"Potential Dirty pipe exploitation attempt\",\"expression\":\"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"creationDate\":1648564123603,\"updateDate\":1666888163347,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ifl-wfe-sch\",\"attributes\":{\"version\":6,\"name\":\"net_util_in_container\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":1617722068439,\"updateDate\":1666888163319,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aux-r7v-odv\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_exploitation\",\"description\":\"Potential Dirty pipe exploitation\",\"expression\":\"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"creationDate\":1648564123563,\"updateDate\":1666888163318,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vri-cjo-ywh\",\"attributes\":{\"version\":2,\"name\":\"pwnkit_privilege_escalation\",\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" && exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] && exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] && exec.uid != 0)\",\"category\":\"Process Activity\",\"creationDate\":1643639113864,\"updateDate\":1666888163135,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ejk-rbu-v9x\",\"attributes\":{\"version\":3,\"name\":\"passwd_execution\",\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] && exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1617722068383,\"updateDate\":1666888162106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pej-frv-8lb\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.ancestors.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722069224,\"updateDate\":1666888161764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-jd2-obf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_cdxqn\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xae-nwo-v33\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_iNwDw\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvp-ggu-cvk\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vx9-lii-nnm\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xur-uya-vqn\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"96x-aqb-3yh\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_RMoJm\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"smc-exb-ymp\",\"attributes\":{\"version\":1,\"name\":\"ld_preload_unusual_library_path\",\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\" ,~\\\"LD_PRELOAD=/dev/shm/*\\\" ]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1665475122471,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fak-u9s-pac\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chown\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1665475121157,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki2-nwj-sot\",\"attributes\":{\"version\":4,\"name\":\"nsswitch_conf_mod_chmod\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1665475120054,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"12k-ui3-z4h\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chmod\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1665475102566,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ien-7aw-blw\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chown\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1665475102281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vqc-lta-u8c\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chmod\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1665475100348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m1y-sk8-b4c\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_xkrhu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"19v-30b-0xf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ehj-52q-wq0\",\"attributes\":{\"version\":1,\"name\":\"shell_history_symlink\",\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"expression\":\"exec.comm == \\\"ln\\\" && exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"category\":\"Process Activity\",\"creationDate\":0,\"updateDate\":1661193980229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gp1-mai-dlc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_us1_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ai3-b8g-lbc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tmz-dqc-yml\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ez9-ozl-3lz\",\"attributes\":{\"version\":2,\"name\":\"potential_cryptominer\",\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1658502077556,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tef-sab-thr\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wup-o5b-tjo\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"c3v-vla-rev\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yel-nbl-2pj\",\"attributes\":{\"version\":1,\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rp0-hmk-9c1\",\"attributes\":{\"version\":1,\"name\":\"ip_check_domain\",\"description\":\"A DNS lookup was done for a IP check service\",\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1654020337230,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"q7y-2ci-hkh\",\"attributes\":{\"version\":1,\"name\":\"paste_site\",\"description\":\"A DNS lookup was done for a pastebin-like site\",\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"creationDate\":0,\"updateDate\":1654020335889,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ntj-rfs-mw3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dyn-u7u-v86\",\"attributes\":{\"version\":2,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mlg-yxw-uig\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lq3-t6t-xng\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1hp-hpr-4ez\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mt3-pks-n5s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"r4a-yvz-rj7\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5k1-gwi-0aq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lkj-jnq-r6s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mbc-iwk-zpb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fzb-lli-m26\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9mk-xxe-lpw\",\"attributes\":{\"version\":2,\"name\":\"suspicious_container_client\",\"description\":\"A container management utility was executed in a container\",\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"creationDate\":1617722068555,\"updateDate\":1651671394200,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ieg-lmk-cgo\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_container\",\"description\":\"A container loaded a new kernel module\",\"expression\":\"load_module.name != \\\"\\\" && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718705,\"updateDate\":1650371511241,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lzx-kkv-at3\",\"attributes\":{\"version\":1,\"name\":\"ptrace_injection\",\"description\":\"A process attempted to inject code into another process\",\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718540,\"updateDate\":1650293789265,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"foo-pve-qbq\",\"attributes\":{\"version\":1,\"name\":\"kernel_module_load_from_memory_container\",\"description\":\"A kernel module was loaded from memory inside a container\",\"expression\":\"load_module.loaded_from_memory == true && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"creationDate\":1650293718365,\"updateDate\":1650293788418,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"irg-o45-pxz\",\"attributes\":{\"version\":3,\"name\":\"example_agent_rule\",\"description\":\"An example agent rule generated in terraform\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rsy-7jg-hqm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m39-rre-anw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4wd-unc-xof\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jhk-qpj-jlt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ruf-aic-d4j\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jtf-zrn-0ph\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ijz-1cz-bms\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"21m-gs8-p43\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"in7-ydq-pbw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"v8v-sem-rmg\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kox-qtp-cbn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"thp-evn-3gr\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hx6-v0z-9gk\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n8j-9n3-urm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tkl-mjf-is5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"up2-fhh-bc8\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vdu-0rd-lnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dfb-wz2-0ka\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"7vz-wdj-vwc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qls-upn-1vc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rxo-lya-bqu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dm3-ip4-rza\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rzs-ccq-4qm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wa9-zm8-8ds\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"alm-sgy-vz3\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dls-vo9-rqx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fyz-u20-nvn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nqv-0et-fcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7v-36z-wue\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"y2z-ffa-zys\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cym-1zi-nnd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ip9-wgt-q3k\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t9d-zbo-2nw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kaw-0h7-dji\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m4i-otg-jnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"heh-lnh-xwm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cwa-5rh-qtd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"e5l-xtx-hmi\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ebx-lyj-r3a\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xac-4if-49b\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dh6-bdu-8v0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hkd-6dr-ify\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bsx-fod-0xj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8jt-x9p-yoy\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rhd-qao-dub\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"j0f-fhi-ab7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvn-u2c-xm4\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ldn-agb-3fl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cyr-g7t-to0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wnm-xkk-mat\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"moo-kuq-zbt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wzs-moc-ji9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uw2-d3y-5h6\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fez-txs-qf9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fga-mna-xej\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"iyn-7sl-swn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"p3w-qyi-pbo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yyt-sfa-fck\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5z7-fqq-siu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ivz-amj-yl7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lyv-3xn-qch\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fpt-c7o-ipx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tap-fek-5kw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7b-x0z-cbe\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hhe-gcm-vjl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nt9-5fe-de1\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pj0-bcy-euh\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rm5-px4-iua\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cqz-7pc-ajz\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hot-prj-df5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"q7n-lvv-4au\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gly-5wu-uny\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"umz-fjl-7qq\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"spq-5f8-isw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dul-hdz-xmo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n94-q2a-co9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"x1n-wra-hdt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kgt-kcc-tnu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"znp-dul-gcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":null,\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ily-tsr-dtj\",\"attributes\":{\"version\":1,\"name\":\"compiler_in_container\",\"description\":\"Compiler Executed in Container\",\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" && exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) && container.id !=\\\"\\\" && process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"category\":\"Process Activity\",\"creationDate\":1627392836759,\"updateDate\":1636729662344,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jl5-wjt-58e\",\"attributes\":{\"version\":1,\"name\":\"aws_metadata_service\",\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] && exec.args in [~\\\"*169.254.169.254*\\\"]\",\"category\":\"Process Activity\",\"creationDate\":1627392836096,\"updateDate\":1629226276630,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8ol-dkr-aml\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_link\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdf-wvb-c3k\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_open\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pkn-azw-qia\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_rename\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wpt-ba8-mpd\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_unlink\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7ud-d2o-qgo\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_utimes\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"za8-uxc-jxk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_link\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" && (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nej-iw4-adk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_open\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name == \\\"authorized_keys\\\" && (open.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tiz-yss-zhq\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_rename\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"apr-zj4-ee1\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_unlink\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yhq-etl-wr6\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_utimes\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m8i-uhr-aoq\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_link\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"adl-qjr-lyg\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_open\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2fy-aqt-8mz\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_rename\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ei7-n5e-rvv\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_unlink\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":true,\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"}]}\n", + "body": "{\"data\":[{\"id\":\"h9w-1za-erv\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1742473059337,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1742473059978,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"khg-aab-9th\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1737245935950,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1737245936416,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ayg-ed4-gwq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KSDPb\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1730871736407,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1730871736407,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"om5-n7z-ike\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_qDgvU\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1727845578846,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1727845578846,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"6ae-6oo-ebo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_DBtCK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724855417119,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724855417119,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"z3p-vom-jnb\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1724373425669,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1724373425669,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"aum-fmk-2zi\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_sUVnW\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846828022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846828022,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8j1-gvj-zbg\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ipyRF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1720846816336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1720846816336,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgj-zek-ajo\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_AszwF\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718401086044,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718401086044,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bf0-bng-csr\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bVlLJ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1718400725834,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1718400725834,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qni-ngf-dzd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_tSfwV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716175452369,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716175452369,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qio-d0k-d3j\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_mABue\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1716162686297,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1716162686297,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fbo-ian-ijl\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VfQSV\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713905359927,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713905359927,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1o7-fwy-pet\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_JAnCe\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713903379681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713903379681,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ug1-mbq-gkm\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_KJInv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713902127183,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713902127183,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xvo-htm-wak\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_PkauG\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713901759732,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713901759732,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zfc-g0g-a8x\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_LPRxi\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196703991,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196703991,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pae-rpt-yni\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_CpDMZ\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196520725,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196520725,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jwu-xbf-ic5\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_HfYXr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1713196519724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1713196519724,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uew-oxg-b86\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_Tjzvu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805386256,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805386256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wyn-ib7-f7o\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_fWORB\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712805020073,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712805020073,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mwk-g74-lbd\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_XcxFr\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804840761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804840761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rqa-io7-fwn\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_bKkuv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1712804479644,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1712804479644,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n1x-qsa-p53\",\"attributes\":{\"version\":1,\"name\":\"windows_cryptominer_process\",\"description\":\"A cryptominer was potentially executed\",\"expression\":\"exec.cmdline in [~\\\"*xmrig*\\\", ~\\\"*cpu-priority*\\\", ~\\\"*donate-level*\\\", ~\\\"*randomx-1gb-pages*\\\", ~\\\"*stratum+tcp*\\\", ~\\\"*stratum+ssl*\\\", ~\\\"*stratum1+tcp*\\\", ~\\\"*stratum1+ssl*\\\", ~\\\"*stratum2+tcp*\\\", ~\\\"*stratum2+ssl*\\\", ~\\\"*nicehash*\\\", ~\\\"*yespower*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1712079129574,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rws-z9b-qjv\",\"attributes\":{\"version\":1,\"name\":\"ransomware_note\",\"description\":\"Possible ransomware note created under common user directories\",\"expression\":\"open.flags & O_CREAT > 0\\n&& open.file.path in [~\\\"/home/**\\\", ~\\\"/root/**\\\", ~\\\"/bin/**\\\", ~\\\"/usr/bin/**\\\", ~\\\"/opt/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/log/**\\\", ~\\\"/var/lib/log/**\\\", ~\\\"/var/backup/**\\\", ~\\\"/var/www/**\\\"]\\n&& open.file.name in [r\\\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\\\"] && open.file.name not in [r\\\".*\\\\.lock$\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644650371,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pqp-0vs-cmu\",\"attributes\":{\"version\":1,\"name\":\"ssh_it_tool_config_write\",\"description\":\"The configuration directory for an ssh worm\",\"expression\":\"open.file.path in [\\\"/root/.prng/*\\\", ~\\\"/home/*/.prng/*\\\", ~\\\"/root/.config/prng/*\\\", ~\\\"/home/*/.config/prng/*\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644642969,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tkp-w9m-vzp\",\"attributes\":{\"version\":1,\"name\":\"safeboot_modification\",\"description\":\"Safeboot registry modified\",\"expression\":\"set.registry.key_path =~ \\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SafeBoot\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644635093,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8be-hej-nf2\",\"attributes\":{\"version\":3,\"name\":\"ps_discovery\",\"description\":\"Processes were listed using the ps command\",\"expression\":\"exec.comm == \\\"ps\\\" && exec.argv not in [\\\"-p\\\", \\\"--pid\\\"] && process.ancestors.file.name not in [\\\"qualys-cloud-agent\\\", \\\"amazon-ssm-agent\\\"] && process.parent.file.name not in [\\\"rkhunter\\\", \\\"jspawnhelper\\\", ~\\\"vm-agent*\\\", \\\"PassengerAgent\\\", \\\"node\\\", \\\"wdavdaemon\\\", \\\"chkrootkit\\\", \\\"tsagentd\\\", \\\"wazuh-modulesd\\\", \\\"wdavdaemon\\\", \\\"talend-remote-engine-service\\\", \\\"check_procs\\\", \\\"newrelic-daemon\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644627589,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wn9-9vf-8be\",\"attributes\":{\"version\":1,\"name\":\"mount_proc_hide\",\"description\":\"Process hidden using mount\",\"expression\":\"mount.mountpoint.path in [~\\\"/proc/1*\\\", ~\\\"/proc/2*\\\", ~\\\"/proc/3*\\\", ~\\\"/proc/4*\\\", ~\\\"/proc/5*\\\", ~\\\"/proc/6*\\\", ~\\\"/proc/7*\\\", ~\\\"/proc/8*\\\", ~\\\"/proc/9*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644623109,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"upj-muh-hms\",\"attributes\":{\"version\":2,\"name\":\"chatroom_request\",\"description\":\"A DNS request was made for a chatroom domain\",\"expression\":\"dns.question.name in [\\\"discord.com\\\", \\\"api.telegram.org\\\", \\\"cdn.discordapp.com\\\"]\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644612626,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gnz-81e-6lg\",\"attributes\":{\"version\":1,\"name\":\"cryptominer_envs\",\"description\":\"Process environment variables match cryptocurrency miner\",\"expression\":\"exec.envs in [\\\"POOL_USER\\\", \\\"POOL_URL\\\", \\\"POOL_PASS\\\", \\\"DONATE_LEVEL\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644602654,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7da-gwx-c3l\",\"attributes\":{\"version\":2,\"name\":\"auditctl_usage\",\"description\":\"The auditctl command was used to modify auditd\",\"expression\":\"exec.file.name == \\\"auditctl\\\" && exec.args_flags not in [\\\"s\\\", \\\"l\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644592613,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8jg-xym-vqz\",\"attributes\":{\"version\":1,\"name\":\"jupyter_shell_execution\",\"description\":\"A Jupyter notebook executed a shell\",\"expression\":\"(exec.file.name in [\\\"cat\\\",\\\"chgrp\\\",\\\"chmod\\\",\\\"chown\\\",\\\"cp\\\",\\\"date\\\",\\\"dd\\\",\\\"df\\\",\\\"dir\\\",\\\"echo\\\",\\\"ln\\\",\\\"ls\\\",\\\"mkdir\\\",\\\"mknod\\\",\\\"mktemp\\\",\\\"mv\\\",\\\"pwd\\\",\\\"readlink\\\",\\\"rm\\\",\\\"rmdir\\\",\\\"sleep\\\",\\\"stty\\\",\\\"sync\\\",\\\"touch\\\",\\\"uname\\\",\\\"vdir\\\",\\\"arch\\\",\\\"b2sum\\\",\\\"base32\\\",\\\"base64\\\",\\\"basename\\\",\\\"chcon\\\",\\\"cksum\\\",\\\"comm\\\",\\\"csplit\\\",\\\"cut\\\",\\\"dircolors\\\",\\\"dirname\\\",\\\"du\\\",\\\"env\\\",\\\"expand\\\",\\\"expr\\\",\\\"factor\\\",\\\"fmt\\\",\\\"fold\\\",\\\"groups\\\",\\\"head\\\",\\\"hostid\\\",\\\"id\\\",\\\"install\\\",\\\"join\\\",\\\"link\\\",\\\"logname\\\",\\\"md5sum\\\",\\\"textutils\\\",\\\"mkfifo\\\",\\\"nice\\\",\\\"nl\\\",\\\"nohup\\\",\\\"nproc\\\",\\\"numfmt\\\",\\\"od\\\",\\\"paste\\\",\\\"pathchk\\\",\\\"pinky\\\",\\\"pr\\\",\\\"printenv\\\",\\\"printf\\\",\\\"ptx\\\",\\\"realpath\\\",\\\"runcon\\\",\\\"seq\\\",\\\"sha1sum\\\",\\\"sha224sum\\\",\\\"sha256sum\\\",\\\"sha384sum\\\",\\\"sha512sum\\\",\\\"shred\\\",\\\"shuf\\\",\\\"sort\\\",\\\"split\\\",\\\"stat\\\",\\\"stdbuf\\\",\\\"sum\\\",\\\"tac\\\",\\\"tail\\\",\\\"tee\\\",\\\"test\\\",\\\"timeout\\\",\\\"tr\\\",\\\"truncate\\\",\\\"tsort\\\",\\\"tty\\\",\\\"unexpand\\\",\\\"uniq\\\",\\\"unlink\\\",\\\"users\\\",\\\"wc\\\",\\\"who\\\",\\\"whoami\\\",\\\"chroot\\\"] || exec.file.name in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.name in [\\\"dash\\\",\\\"sh\\\",\\\"static-sh\\\",\\\"sh\\\",\\\"bash\\\",\\\"bash\\\",\\\"bash-static\\\",\\\"zsh\\\",\\\"ash\\\",\\\"csh\\\",\\\"ksh\\\",\\\"tcsh\\\",\\\"busybox\\\",\\\"busybox\\\",\\\"fish\\\",\\\"ksh93\\\",\\\"rksh\\\",\\\"rksh93\\\",\\\"lksh\\\",\\\"mksh\\\",\\\"mksh-static\\\",\\\"csharp\\\",\\\"posh\\\",\\\"rc\\\",\\\"sash\\\",\\\"yash\\\",\\\"zsh5\\\",\\\"zsh5-static\\\"]) && process.ancestors.comm in [\\\"jupyter-noteboo\\\", \\\"jupyter-lab\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644590883,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9ih-87r-xrp\",\"attributes\":{\"version\":1,\"name\":\"registry_runkey_modified\",\"description\":\"A Registry runkey has been modified\",\"expression\":\"set.registry.key_path in [~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\", ~\\\"*\\\\\\\\HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunonceEx\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644584412,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"msb-ai6-ua5\",\"attributes\":{\"version\":2,\"name\":\"tunnel_traffic\",\"description\":\"Tunneling or port forwarding tool used\",\"expression\":\"((exec.comm == \\\"pivotnacci\\\" || exec.comm == \\\"gost\\\") && process.args_flags in [\\\"L\\\", \\\"C\\\", \\\"R\\\"]) || (exec.comm in [\\\"ssh\\\", \\\"sshd\\\"] && process.args_flags in [\\\"R\\\", \\\"L\\\", \\\"D\\\", \\\"w\\\"] && process.args in [r\\\"((25[0-5]|(2[0-4]|1\\\\d|[1-9])\\\\d)\\\\.?\\\\b){4}\\\"] ) || (exec.comm == \\\"sshuttle\\\" && process.args_flags in [\\\"r\\\", \\\"remote\\\", \\\"l\\\", \\\"listen\\\"]) || (exec.comm == \\\"socat\\\" && process.args in [r\\\".*(TCP4-LISTEN:|SOCKS).*\\\"]) || (exec.comm in [\\\"iodine\\\", \\\"iodined\\\", \\\"dnscat\\\", \\\"hans\\\", \\\"hans-ubuntu\\\", \\\"ptunnel-ng\\\", \\\"ssf\\\", \\\"3proxy\\\", \\\"ngrok\\\"] && process.parent.comm in [\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"])\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644574925,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6fr-csu-axm\",\"attributes\":{\"version\":7,\"name\":\"k8s_pod_service_account_token_accessed\",\"description\":\"The Kubernetes pod service account token was accessed\",\"expression\":\"open.file.path in [~\\\"/var/run/secrets/kubernetes.io/serviceaccount/**\\\", ~\\\"/run/secrets/kubernetes.io/serviceaccount/**\\\"] && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"] && process.file.path not in [\\\"/usr/bin/cilium-agent\\\", \\\"/coredns\\\", \\\"/usr/bin/cilium-operator\\\", \\\"/manager\\\", \\\"/fluent-bit/bin/fluent-bit\\\", \\\"/usr/local/bin/cloud-node-manager\\\", \\\"/secrets-store-csi\\\", \\\"/bin/secrets-store-csi-driver-provider-aws\\\", \\\"/usr/bin/calico-node\\\", \\\"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\\\", \\\"/nginx-ingress-controller\\\", \\\"/cluster-autoscaler\\\", \\\"/cluster-proportional-autoscaler\\\", \\\"/haproxy-ingress-controller\\\", \\\"/kube-state-metrics\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/external-secrets\\\", \\\"/node-termination-handler\\\", \\\"/fluent-bit-gke-exporter\\\", \\\"/bin/vault\\\", \\\"/usr/local/bin/kubectl\\\", \\\"/local-provisioner\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/usr/local/bin/vaultd\\\", \\\"/usr/local/bin/trace-driveline-writer\\\", \\\"/usr/local/bin/registration-controller\\\", \\\"/usr/local/bin/cluster-autoscaler\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1711644571787,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"30s-pi8-9b4\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1711550899699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1711550899699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a9q-iyx-gfu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508595,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508595,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hlq-w7y-5tg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686508341,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686508341,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"lj4-ina-ue2\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507890,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507890,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"qlz-mcu-d2k\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bmx-go6-0lz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507388,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507388,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bk0-mpb-ii8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1708686507115,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1708686507115,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0xw-wbm-pel\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131459596,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131459596,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"nvt-eoh-yiz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131458820,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131458820,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dc5-hba-20b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457616,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457616,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"asb-kqf-vex\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131457216,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131457216,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yzx-ia6-bdh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131456469,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131456469,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uo-x9p-tmb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1707131455692,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1707131455692,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"kan-5ki-wau\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191984,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191984,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ggb-h3r-t7d\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872191450,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872191450,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"y4n-8gx-m3n\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190549,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190549,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xsf-ugy-cfq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872190256,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872190256,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"btr-btz-zif\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189757,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189757,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"jnw-ija-az5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1706872189262,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1706872189262,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"6v0-shq-8gm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911364,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911364,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yrv-svq-9nz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452911144,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452911144,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9s9-wui-t8c\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910712,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910712,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"krm-ssv-tn5\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910586,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910586,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"uiu-6vz-z2h\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910368,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910368,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"eej-oup-jwu\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1704452910147,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1704452910147,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ltv-fla-wb0\",\"attributes\":{\"version\":1,\"name\":\"ntds_in_commandline\",\"description\":\"NTDS file referenced in commandline\",\"expression\":\"exec.cmdline =~ \\\"*ntds.dit*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"uuf-w3c-u9q\",\"attributes\":{\"version\":1,\"name\":\"scheduled_task_creation\",\"description\":\"A scheduled task was created\",\"expression\":\"exec.file.name in [\\\"at.exe\\\",\\\"schtasks.exe\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404490608,\"filters\":[\"os == \\\"windows\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nyc-gfz-yr5\",\"attributes\":{\"version\":5,\"name\":\"nsswitch_conf_mod_chown\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1704404477785,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bm8-j5w-xfv\",\"attributes\":{\"version\":3,\"name\":\"suspicious_suid_execution\",\"description\":\"Recently written or modified suid file has been executed\",\"expression\":\"((process.file.mode & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name != \\\"\\\" && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404469455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"phy-tco-k7w\",\"attributes\":{\"version\":6,\"name\":\"database_shell_execution\",\"description\":\"A database application spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\nprocess.parent.file.name in [\\\"mysqld\\\", \\\"mongod\\\", \\\"postgres\\\"] &&\\n!(process.parent.file.name == \\\"initdb\\\" &&\\nexec.args == \\\"-c locale -a\\\") &&\\n!(process.parent.file.name == \\\"postgres\\\" &&\\nexec.args == ~\\\"*pg_wal*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069155,\"updateDate\":1704404453620,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7x1-glr-ofl\",\"attributes\":{\"version\":2,\"name\":\"credential_modified_open_v2\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\\n (open.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404453617,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jjg-cwd-bi8\",\"attributes\":{\"version\":2,\"name\":\"pci_11_5_critical_binaries_open_v2\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && container.created_at > 90s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1704404449335,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqb-wq9-xzq\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_jcvqK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1704404420111,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1704404420111,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"sqx-azd-ia2\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_ivMAv\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700251049947,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700251049947,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"83g-jde-hyc\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1700243663249,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1700243663249,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hyg-8q3-gme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294824,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294824,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"bn3-we8-cxn\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294647,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294647,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"goh-6ij-cpa\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294269,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294269,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"he7-cho-9th\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219294175,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219294175,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"pj5-9wo-0ny\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293961,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293961,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"dmd-ens-omw\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700219293736,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700219293736,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"8ft-wcs-sok\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880522,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880522,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-fm3-ilm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132880255,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132880255,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cxv-wyz-udh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879795,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879795,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"7ro-vjj-hqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879679,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879679,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"3uf-mai-edh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879455,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879455,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"e2t-sos-sgs\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700132879213,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700132879213,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"joz-phu-bj6\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046608383,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046608383,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"9gx-e5x-wxl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cmg-7ok-iws\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046607019,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046607019,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"fc2-mmz-xme\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606743,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606743,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"cw4-gei-lqg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046606184,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046606184,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"djb-5it-syy\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1700046605699,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1700046605699,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"2be-cfa-xhr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960183272,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960183272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5dp-tcj-tbm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960182731,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960182731,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"a0m-zaf-0a8\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181838,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181838,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"erx-pyz-xft\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181554,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181554,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"ydh-fsm-slz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960181024,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960181024,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5pp-60h-keq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699960180438,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699960180438,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"xyn-fkc-osi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852793,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852793,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"llg-x6t-jjq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873852043,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873852043,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"q1s-ejx-xq3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850880,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850880,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"zw4-cad-dro\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873850490,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873850490,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rik-8jl-7nr\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849810,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849810,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"vih-vom-ryl\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699873849102,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699873849102,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"mhl-gkn-bun\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_unlink\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699614659146,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"j3f-cie-47b\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_from_memory\",\"description\":\"A kernel module was loaded from memory\",\"expression\":\"load_module.loaded_from_memory == true\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718630,\"updateDate\":1699614659145,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"my1-vln-8fq\",\"attributes\":{\"version\":3,\"name\":\"cryptominer_args\",\"description\":\"A process launched with arguments associated with cryptominers\",\"expression\":\"exec.args_options in [~\\\"cpu-priority*\\\", ~\\\"donate-level*\\\"] || exec.args in [~\\\"*stratum+tcp*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614656177,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"us6-p6v-hbj\",\"attributes\":{\"version\":2,\"name\":\"tar_execution\",\"description\":\"Tar archive created\",\"expression\":\"exec.file.path == \\\"/usr/bin/tar\\\" && exec.args_flags in [\\\"create\\\",\\\"c\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614655670,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vky-y2i-mvh\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution_parent\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.parent.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699614653571,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohe-vlf-t2h\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chown\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1699614645120,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"abo-w0g-emz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584761,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584761,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"yyr-62t-pwg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614584201,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614584201,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"s87-olo-akk\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583309,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583309,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"hqc-ilw-6pg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614583007,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614583007,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"5ik-iyy-ry4\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614582497,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614582497,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"0mj-ptm-mcq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1699614581944,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1699614581944,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"awr-mtg-lce\",\"attributes\":{\"version\":1,\"name\":\"offensive_k8s_tool\",\"description\":\"A known kubernetes pentesting tool has been executed\",\"expression\":\"(exec.file.name in [ ~\\\"python*\\\" ] && (\\\"KubiScan.py\\\" in exec.argv || \\\"kubestriker\\\" in exec.argv ) ) || exec.file.name in [ \\\"kubiscan\\\",\\\"kdigger\\\",\\\"kube-hunter\\\",\\\"rakkess\\\",\\\"peirates\\\",\\\"kubescape\\\",\\\"kubeaudit\\\",\\\"kube-linter\\\",\\\"stratus\\\",~\\\"botb-*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605598275,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qng-psi-j15\",\"attributes\":{\"version\":5,\"name\":\"runc_modification\",\"description\":\"The runc binary was modified in a non-standard way\",\"expression\":\"open.file.path in [\\\"/usr/bin/runc\\\", \\\"/usr/sbin/runc\\\", \\\"/usr/bin/docker-runc\\\"]\\n&& open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392837049,\"updateDate\":1699605592780,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vlh-msh-elx\",\"attributes\":{\"version\":1,\"name\":\"redis_save_module\",\"description\":\"Redis module has been created\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.rdb\\\", ~\\\"*.aof\\\", ~\\\"*.so\\\"]) && process.file.name in [\\\"redis-check-rdb\\\", \\\"redis-server\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605590262,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"i0s-yb1-hnl\",\"attributes\":{\"version\":4,\"name\":\"net_util_exfiltration\",\"description\":\"Exfiltration attempt via network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\", ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605585597,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki7-koc-icf\",\"attributes\":{\"version\":2,\"name\":\"apparmor_modified_tty\",\"description\":\"An AppArmor profile was modified in an interactive session\",\"expression\":\"exec.file.name in [\\\"aa-disable\\\", \\\"aa-complain\\\", \\\"aa-audit\\\"] && exec.tty_name !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836162,\"updateDate\":1699605581360,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kzh-5hn-edg\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chmod\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605577106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rm1-b8h-cec\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_link\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605575176,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zk5-jeo-579\",\"attributes\":{\"version\":2,\"name\":\"rc_scripts_modified\",\"description\":\"RC scripts modified\",\"expression\":\"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path in [\\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\"])) && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1699605566454,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"je9-er4-njy\",\"attributes\":{\"version\":2,\"name\":\"selinux_disable_enforcement\",\"description\":\"SELinux enforcement status was disabled\",\"expression\":\"selinux.enforce.status in [\\\"permissive\\\", \\\"disabled\\\"] && process.ancestors.args != ~\\\"*BECOME-SUCCESS*\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1635332067172,\"updateDate\":1699605560892,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yly-big-wfq\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_chown\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605558253,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6ef-efv-07c\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_utimes\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605550430,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"1vg-wvn-jeo\",\"attributes\":{\"version\":5,\"name\":\"pci_11_5_critical_binaries_rename\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1699605548906,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"332-1wp-nhi\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1699375258346,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1699375258346,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pn7-9wx-enb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130893,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130893,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zag-uxd-4rh\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130586,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130586,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gj1-f5n-atq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275130040,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275130040,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xoa-393-gtb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129856,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wib-odd-eos\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129533,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129533,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zi0-hgn-9ec\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689275129209,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689275129209,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"oce-aqj-x6b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185616079,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185616079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cdt-p7e-q1b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185615169,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185615169,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wgo-mps-djd\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185614427,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185614427,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"odr-ipk-wvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185613924,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185613924,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nb1-dkb-bwz\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185612915,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185612915,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t2g-qma-f5b\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"creationDate\":1689185611378,\"updateAuthorUuId\":\"6018c832-80a7-11ea-93dd-43183212bc7a\",\"updateDate\":1689185611378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"},\"updater\":{\"name\":\"Sherzod Karimov\",\"handle\":\"sherzod.karimov@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pwg-71z-aob\",\"attributes\":{\"version\":1,\"name\":\"ssl_certificate_tampering_open_v2\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\\n&& container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748504240,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zuq-yfd-hun\",\"attributes\":{\"version\":1,\"name\":\"deploy_priv_container\",\"description\":\"A privileged container was created\",\"expression\":\"exec.file.name != \\\"\\\" && container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748488881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ayp-cd9-j3f\",\"attributes\":{\"version\":1,\"name\":\"network_sniffing_tool\",\"description\":\"Local account groups were enumerated after container start up\",\"expression\":\"exec.file.name in [\\\"tcpdump\\\", \\\"tshark\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748485348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"x3k-0en-bhm\",\"attributes\":{\"version\":1,\"name\":\"ssh_authorized_keys_open_v2\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (open.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kmx-s3s-htb\",\"attributes\":{\"version\":1,\"name\":\"nsswitch_conf_mod_open_v2\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && container.created_at > 180s\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748480617,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdh-b1k-i0e\",\"attributes\":{\"version\":1,\"name\":\"suid_file_execution\",\"description\":\"a SUID file was executed\",\"expression\":\"(setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \\\"/usr/bin/sudo\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479473,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rqu-01q-fmr\",\"attributes\":{\"version\":1,\"name\":\"net_util_in_container_v2\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ] && container.created_at > 180s\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748479210,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"igw-lex-dzw\",\"attributes\":{\"version\":1,\"name\":\"hidden_file_executed\",\"description\":\"A hidden file was executed in a suspicious folder\",\"expression\":\"exec.file.name =~ \\\".*\\\" && exec.file.path in [~\\\"/home/**\\\", ~\\\"/tmp/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474266,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ixh-tff-n0g\",\"attributes\":{\"version\":1,\"name\":\"shell_profile_modification\",\"description\":\"Shell profile was modified\",\"expression\":\"open.file.path in [~\\\"/home/*/*profile\\\", ~\\\"/home/*/*rc\\\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748474208,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"84k-f4f-yx8\",\"attributes\":{\"version\":4,\"name\":\"python_cli_code\",\"description\":\"Python code was provided on the command line\",\"expression\":\"exec.file.name == ~\\\"python*\\\" && exec.args_flags in [\\\"c\\\"] && exec.args in [~\\\"*-c*SOCK_STREAM*\\\", ~\\\"*-c*subprocess*\\\", \\\"*-c*/bash*\\\", \\\"*-c*/bin/sh*\\\", \\\"*-c*pty.spawn*\\\"] && exec.args !~ \\\"*setuptools*\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1688748470573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-ylu-udm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740629202,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740629202,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tfj-qbi-njb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740550818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740550818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"otj-idk-ece\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688740379706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688740379706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"l88-cpw-jvx\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688739737197,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688739737197,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kcw-scc-5ve\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1688677455854,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1688677455854,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lg7-iv9-wts\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_utimes\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path == \\\"/etc/sudoers\\\")\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185006444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lxo-jgz-gtv\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chown\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path == \\\"/etc/sudoers\\\")\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185001787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vu4-g2z-6yx\",\"attributes\":{\"version\":1,\"name\":\"user_deleted_tty\",\"description\":\"A user was deleted via an interactive session\",\"expression\":\"exec.file.name in [\\\"userdel\\\", \\\"deluser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684185000708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"dgj-0mh-asf\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_unlink\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996909,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"6t0-pxf-oag\",\"attributes\":{\"version\":1,\"name\":\"curl_docker_socket\",\"description\":\"The Docker socket was referenced in a cURL command\",\"expression\":\"exec.file.name == \\\"curl\\\" && exec.args_flags in [\\\"unix-socket\\\"] && exec.args in [\\\"*docker.sock*\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184996292,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"07x-ilo-vbw\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_rename\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path == \\\"/etc/sudoers\\\"\\n || rename.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184995498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vbb-8oz-uj8\",\"attributes\":{\"version\":1,\"name\":\"read_release_info\",\"description\":\"OS information was read from the /etc/lsb-release file\",\"expression\":\"open.file.path == \\\"/etc/lsb-release\\\" && open.flags & O_RDONLY > 0\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184994303,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hxb-abz-bnu\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_chmod\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184993817,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wxp-zv6-mdg\",\"attributes\":{\"version\":1,\"name\":\"kmod_list\",\"description\":\"Kernel modules were listed using the kmod command\",\"expression\":\"exec.comm == \\\"kmod\\\" && exec.args in [~\\\"*list*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0on-nzp-luo\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_open\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"\\n(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n(open.file.path == \\\"/etc/sudoers\\\")) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184992340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rsp-g6i-jdi\",\"attributes\":{\"version\":1,\"name\":\"service_stop\",\"description\":\"systemctl used to stop a service\",\"expression\":\"exec.file.name == \\\"systemctl\\\" && exec.args in [~\\\"*stop*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184991238,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"d5p-vk6-w0f\",\"attributes\":{\"version\":1,\"name\":\"exec_lsmod\",\"description\":\"Kernel modules were listed using the lsmod command\",\"expression\":\"exec.comm == \\\"lsmod\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184990877,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ich-3ke-cor\",\"attributes\":{\"version\":1,\"name\":\"sudoers_policy_modified_link\",\"description\":\"Sudoers policy file may have been modified without authorization\",\"expression\":\"(\\n (link.file.path == \\\"/etc/sudoers\\\"\\n || link.file.destination.path == \\\"/etc/sudoers\\\")\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184985910,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"zdy-kcq-q0v\",\"attributes\":{\"version\":1,\"name\":\"read_kubeconfig\",\"description\":\"The kubeconfig file was accessed\",\"expression\":\"open.file.path in [~\\\"/home/*/.kube/config\\\", \\\"/root/.kube/config\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184984191,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yij-lei-ykx\",\"attributes\":{\"version\":1,\"name\":\"exec_whoami\",\"description\":\"The whoami command was executed\",\"expression\":\"exec.comm == \\\"whoami\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1684184982050,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fjh-jmi-fbi\",\"attributes\":{\"version\":1,\"name\":\"auditd_rule_file_modified\",\"description\":\"The auditd rules file was modified without using auditctl\",\"expression\":\"open.file.path in [\\\"/etc/audit/rules.d/audit.rules\\\", \\\"/etc/audit/audit.rules\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490457848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"div-3ym-esz\",\"attributes\":{\"version\":1,\"name\":\"auditd_config_modified\",\"description\":\"The auditd configuration file was modified without using auditctl\",\"expression\":\"open.file.path == \\\"/etc/audit/auditd.conf\\\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \\\"auditctl\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453830,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"swo-jyw-vtb\",\"attributes\":{\"version\":5,\"name\":\"aws_eks_service_account_token_accessed\",\"description\":\"The AWS EKS service account token was accessed\",\"expression\":\"open.file.path =~ \\\"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\\\" && open.file.name == \\\"token\\\" && process.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490453789,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2p0-3i2-b4y\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_open\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490451189,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ybu-yya-acz\",\"attributes\":{\"version\":9,\"name\":\"ssl_certificate_tampering_chmod\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.mode != chmod.file.destination.mode\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490448291,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kek-yib-peb\",\"attributes\":{\"version\":2,\"name\":\"shell_history_deleted\",\"description\":\"Shell History was Deleted\",\"expression\":\"(unlink.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\") && process.comm not in [\\\"dockerd\\\", \\\"containerd\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490445819,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"w07-amm-bxr\",\"attributes\":{\"version\":10,\"name\":\"ssl_certificate_tampering_utimes\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490443753,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pti-xku-k7y\",\"attributes\":{\"version\":3,\"name\":\"shell_history_truncated\",\"description\":\"Shell History was Deleted\",\"expression\":\"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name =~ r\\\".([dbazfi]*sh)(_history)$\\\" && open.file.path in [~\\\"/root/*\\\", ~\\\"/home/**\\\"] && process.file.name == \\\"truncate\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490441112,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jin-icc-lpi\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_unlink\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/ssl/certs/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490440557,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aby-cmp-yrd\",\"attributes\":{\"version\":2,\"name\":\"dynamic_linker_config_write\",\"description\":\"A process wrote to a dynamic linker config file\",\"expression\":\"open.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", \\\"/etc/ld.so.conf.d/*.conf\\\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"] && process.ancestors.file.path not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"/opt/datadog-agent/embedded/bin/system-probe\\\", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\", \\\"/opt/datadog-agent/embedded/bin/process-agent\\\", \\\"/opt/datadog-agent/bin/agent/agent\\\", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\", \\\"/usr/bin/dd-host-install\\\", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\", \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1681490436787,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7nq-ugi-gu1\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_link\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.file.name !~ \\\"runc*\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490436302,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qzs-yvl-f4t\",\"attributes\":{\"version\":8,\"name\":\"ssl_certificate_tampering_rename\",\"description\":\"SSL certificates may have been tampered with\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/ssl/certs/**\\\", ~\\\"/etc/pki/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\\n&& process.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path != \\\"/usr/sbin/update-ca-certificates\\\"\\n&& process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n&& process.file.name !~ \\\"runc*\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142980369,\"updateDate\":1681490435881,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9hn-ukg-ek1\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899530,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899530,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ulc-8ym-1ch\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222899155,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222899155,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"zja-jqt-rpm\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898613,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898613,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"2ov-h11-m4w\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898408,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898408,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"shb-0xv-eib\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222898061,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222898061,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"psp-nbn-dtg\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1681222897739,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1681222897739,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mcq-6by-989\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856493876,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856493876,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tci-5f7-cis\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856492960,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856492960,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mey-lit-gzs\",\"attributes\":{\"version\":1,\"name\":\"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856491445,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856491445,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4ve-rws-nw0\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490988,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490988,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9aa-y0q-rrc\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856490077,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856490077,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tvd-3p1-cai\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677856489180,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677856489180,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"asy-mod-zmt\",\"attributes\":{\"version\":5,\"name\":\"user_created_tty\",\"description\":\"A user was created via an interactive session\",\"expression\":\"exec.file.name in [\\\"useradd\\\", \\\"newusers\\\", \\\"adduser\\\"] && exec.tty_name !=\\\"\\\" && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && exec.args_flags not in [\\\"D\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836979,\"updateDate\":1677793421528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"rek-wb4-s7y\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_rename\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793418528,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"4fh-bb7-747\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chmod\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793414173,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yiy-mba-pny\",\"attributes\":{\"version\":5,\"name\":\"common_net_intrusion_util\",\"description\":\"A network utility (nmap) commonly used in intrusion attacks was executed\",\"expression\":\"exec.file.name in [\\\"nmap\\\", \\\"masscan\\\", \\\"fping\\\", \\\"zgrab\\\", \\\"zgrab2\\\", \\\"rustscan\\\", \\\"pnscan\\\"] && exec.args_flags not in [\\\"V\\\", \\\"version\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067554,\"updateDate\":1677793413474,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3tj-btx-kvo\",\"attributes\":{\"version\":5,\"name\":\"package_management_in_container\",\"description\":\"Package management was detected in a container\",\"expression\":\"exec.file.path in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722067648,\"updateDate\":1677793413044,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"oio-i4o-xzw\",\"attributes\":{\"version\":1,\"name\":\"tty_shell_in_container\",\"description\":\"A shell with a TTY was executed in a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && process.tty_name != \\\"\\\" && process.container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412844,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"qdc-oqx-zsx\",\"attributes\":{\"version\":8,\"name\":\"systemd_modification_chown\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412379,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pwh-omk-qrr\",\"attributes\":{\"version\":3,\"name\":\"new_binary_execution_in_container\",\"description\":\"A container executed a new binary not found in the container image\",\"expression\":\"container.id != \\\"\\\" && process.file.in_upper_layer && process.file.modification_time < 30s && exec.file.name != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1652129906455,\"updateDate\":1677793412378,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bgs-kbk-xkh\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_link\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793412375,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tmh-now-e61\",\"attributes\":{\"version\":6,\"name\":\"pci_11_5_critical_binaries_open\",\"description\":\"Critical system binaries may have been modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.path in [ ~\\\"/bin/*\\\", ~\\\"/sbin/*\\\", ~\\\"/usr/bin/*\\\", ~\\\"/usr/sbin/*\\\", ~\\\"/usr/local/bin/*\\\", ~\\\"/usr/local/sbin/*\\\", ~\\\"/boot/**\\\" ]\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142933669,\"updateDate\":1677793410974,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kxs-kt6-5gt\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_unlink\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793406609,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ohp-ags-xpk\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_utimes\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1677793405837,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"t8w-eul-chf\",\"attributes\":{\"version\":7,\"name\":\"systemd_modification_utimes\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1677793405627,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ay7-jkz-rda\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_unlink\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793404797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fpw-paa-smb\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_utimes\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"c4t-pxu-ixk\",\"attributes\":{\"version\":10,\"name\":\"kernel_module_unlink\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793402725,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ec9-vff-7ni\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_link\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || link.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793401708,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"r5z-tke-sjm\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_link\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || link.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793401181,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"eoy-4fe-q7q\",\"attributes\":{\"version\":11,\"name\":\"credential_modified_chown\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (chown.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793399502,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cd0-w8q-vl4\",\"attributes\":{\"version\":11,\"name\":\"kernel_module_chown\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793397722,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"bw8-80r-qih\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_BAiZP\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1677793394115,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1677793394115,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mpb-1rj-dv6\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_rename\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ]\\n || rename.file.destination.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1677793394010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ac4-asc-qi4\",\"attributes\":{\"version\":10,\"name\":\"credential_modified_rename\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1677793391290,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gtx-vpl-ror\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_lszUX\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1675978633464,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1675978633464,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xye-pfo-y0r\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_open\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486423764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"cmu-g58-cau\",\"attributes\":{\"version\":6,\"name\":\"cron_at_job_creation_rename\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || rename.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486423628,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sna-hgh-vo4\",\"attributes\":{\"version\":3,\"name\":\"dynamic_linker_config_unlink\",\"description\":\"A process unlinked a dynamic linker config file\",\"expression\":\"unlink.file.path in [\\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf\\\", ~\\\"/etc/ld.so.conf.d/*.conf\\\"] && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486422738,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"efc-svz-7hu\",\"attributes\":{\"version\":1,\"name\":\"potential_web_shell_parent\",\"description\":\"A web application spawned a shell or shell utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] || exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] || exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"]) &&\\n(process.parent.file.name in [\\\"apache2\\\", \\\"nginx\\\", ~\\\"tomcat*\\\", \\\"httpd\\\"] || process.parent.file.name =~ \\\"php*\\\")\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486413493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tna-ty5-e7c\",\"attributes\":{\"version\":1,\"name\":\"mount_host_fs\",\"description\":\"The host file system was mounted in a container\",\"expression\":\"mount.source.path == \\\"/\\\" && mount.fs_type != \\\"overlay\\\" && container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486412444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygi-ozn-m5d\",\"attributes\":{\"version\":1,\"name\":\"memfd_create\",\"description\":\"memfd object created\",\"expression\":\"exec.file.name =~ \\\"memfd*\\\" && exec.file.path == \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1674486411993,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nlp-lzc-rcf\",\"attributes\":{\"version\":5,\"name\":\"systemd_modification_open\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486408888,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"avt-p2e-fyc\",\"attributes\":{\"version\":9,\"name\":\"kernel_module_chmod\",\"description\":\"A new kernel module was added\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/modules/**\\\", ~\\\"/usr/lib/modules/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"] && process.ancestors.file.path != \\\"/usr/bin/kmod\\\"\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746168,\"updateDate\":1674486407158,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ipa-v3l-kt6\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chmod\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && chmod.file.destination.mode != chmod.file.mode\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406983,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3xl-qds-f0e\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_chown\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406776,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"0gu-pqy-o1a\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_link\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ]\\n || link.file.destination.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406604,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ygn-d8o-ncr\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_utimes\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (utimes.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486406387,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"psd-3el-h33\",\"attributes\":{\"version\":9,\"name\":\"credential_modified_utimes\",\"description\":\"Sensitive credential files were modified using a non-standard tool\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/shadow\\\", \\\"/etc/gshadow\\\" ])\\n && process.file.path not in [ \\\"/sbin/vipw\\\", \\\"/usr/sbin/vipw\\\", \\\"/sbin/vigr\\\", \\\"/usr/sbin/vigr\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/sbin/groupadd\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/sbin/usermod\\\", \\\"/usr/sbin/userdel\\\", \\\"/usr/bin/gpasswd\\\", \\\"/usr/bin/chage\\\", \\\"/usr/sbin/chpasswd\\\", \\\"/usr/bin/passwd\\\" ]\\n && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1598516746271,\"updateDate\":1674486406248,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"atu-tci-bjn\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_unlink\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486405229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"onm-dqu-jly\",\"attributes\":{\"version\":7,\"name\":\"cron_at_job_creation_open\",\"description\":\"An unauthorized job was added to cron scheduling\",\"expression\":\"(\\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/var/spool/cron/**\\\", ~\\\"/etc/cron.*/**\\\", ~\\\"/etc/crontab\\\" ])\\n && process.file.path not in [ \\\"/usr/bin/at\\\", \\\"/usr/bin/crontab\\\" ]\\n)\\n&& process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/local/bin/containerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\"]\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142961130,\"updateDate\":1674486404864,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"kuu-k1s-gqz\",\"attributes\":{\"version\":6,\"name\":\"systemd_modification_chmod\",\"description\":\"A service may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/lib/systemd/system/**\\\", ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\" ])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\", \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"]\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142929241,\"updateDate\":1674486404846,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"hnh-eio-mow\",\"attributes\":{\"version\":2,\"name\":\"ptrace_antidebug\",\"description\":\"A process uses an anti-debugging technique to block debuggers\",\"expression\":\"ptrace.request == PTRACE_TRACEME && process.file.name != \\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718435,\"updateDate\":1670604150759,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"f5y-pdn-pnj\",\"attributes\":{\"version\":4,\"name\":\"kernel_module_load\",\"description\":\"A kernel module was loaded\",\"expression\":\"load_module.name not in [\\\"nf_tables\\\", \\\"iptable_filter\\\", \\\"ip6table_filter\\\", \\\"bpfilter\\\", \\\"ip6_tables\\\", \\\"ip6table_nat\\\", \\\"nf_reject_ipv4\\\", \\\"ipt_REJECT\\\", \\\"iptable_raw\\\"] && process.ancestors.file.name not in [~\\\"falcon*\\\", \\\"unattended-upgrade\\\", \\\"apt.systemd.daily\\\", \\\"xtables-legacy-multi\\\", \\\"ssm-agent-worker\\\"]\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718458,\"updateDate\":1670604150549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ddh-ld5-2rj\",\"attributes\":{\"version\":1,\"name\":\"aws_imds\",\"description\":\"An AWS IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\\\", \\\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\\", ~\\\"*169.254.170.2/*/credentials?id=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"enj-kdc-1tt\",\"attributes\":{\"version\":1,\"name\":\"net_file_download\",\"description\":\"A suspicious file was written by a network utility\",\"expression\":\"open.flags & O_CREAT > 0 && process.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.sh\\\", ~\\\"*.c\\\", ~\\\"*.so\\\", ~\\\"*.ko\\\"])\\n || open.file.path in [~\\\"/usr/**\\\", ~\\\"/lib/**\\\", ~\\\"/etc/**\\\", ~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\"]\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150067,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wew-y1h-1um\",\"attributes\":{\"version\":1,\"name\":\"compile_after_delivery\",\"description\":\"A compiler wrote a suspicious file in a container\",\"expression\":\"open.flags & O_CREAT > 0\\n&& (\\n (open.file.path =~ \\\"/tmp/**\\\" && open.file.name in [~\\\"*.ko\\\", ~\\\".*\\\"])\\n || open.file.path in [~\\\"/var/tmp/**\\\", ~\\\"/dev/shm/**\\\", ~\\\"/root/**\\\", ~\\\"*/bin/*\\\", ~\\\"/usr/local/lib/**\\\"]\\n)\\n&& (process.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || process.ancestors.comm in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"])\\n&& process.file.name not in [\\\"pip\\\", ~\\\"python*\\\"]\\n&& container.id != \\\"\\\"\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150062,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ct9-og0-h7h\",\"attributes\":{\"version\":1,\"name\":\"net_unusual_request\",\"description\":\"Network utility executed with suspicious URI\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*.php*\\\", ~\\\"*.jpg*\\\"] \",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150059,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"9dx-svj-apj\",\"attributes\":{\"version\":1,\"name\":\"azure_imds\",\"description\":\"An Azure IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150058,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"sah-xju-jcq\",\"attributes\":{\"version\":1,\"name\":\"gcp_imds\",\"description\":\"An GCP IMDS was called via a network utility\",\"expression\":\"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && exec.args in [~\\\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\\\", ~\\\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1670604150002,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"mmk-0g6-4qu\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_VxNSK\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1668731826060,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1668731826060,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uze-gr4-sfh\",\"attributes\":{\"version\":1,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1667938921652,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1667938921652,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mgd-dmc-zta\",\"attributes\":{\"version\":1,\"name\":\"interactive_shell_in_container\",\"description\":\"An interactive shell was started inside of a container\",\"expression\":\"exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] && exec.args_flags in [\\\"i\\\"] && container.id !=\\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1666888169595,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"3lt-gov-2yu\",\"attributes\":{\"version\":4,\"name\":\"net_util\",\"description\":\"A network utility was executed\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id == \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1642158534952,\"updateDate\":1666888163498,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jx4-pkv-247\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_attempt\",\"description\":\"Potential Dirty pipe exploitation attempt\",\"expression\":\"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123603,\"updateDate\":1666888163347,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ifl-wfe-sch\",\"attributes\":{\"version\":6,\"name\":\"net_util_in_container\",\"description\":\"A network utility was executed in a container\",\"expression\":\"(exec.comm in [\\\"socat\\\", \\\"dig\\\", \\\"nslookup\\\", \\\"host\\\", ~\\\"netcat*\\\", ~\\\"nc*\\\", \\\"ncat\\\"] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"]) &&\\ncontainer.id != \\\"\\\" && exec.args not in [ ~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\", ~\\\"*motd.ubuntu.com*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068439,\"updateDate\":1666888163319,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"aux-r7v-odv\",\"attributes\":{\"version\":2,\"name\":\"dirty_pipe_exploitation\",\"description\":\"Potential Dirty pipe exploitation\",\"expression\":\"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid != 0 && process.gid != 0)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1648564123563,\"updateDate\":1666888163318,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vri-cjo-ywh\",\"attributes\":{\"version\":2,\"name\":\"pwnkit_privilege_escalation\",\"description\":\"A process was spawned with indicators of exploitation of CVE-2021-4034\",\"expression\":\"(exec.file.path == \\\"/usr/bin/pkexec\\\" && exec.envs in [~\\\"*SHELL*\\\", ~\\\"*PATH*\\\"] && exec.envs not in [~\\\"*DISPLAY*\\\", ~\\\"*DESKTOP_SESSION*\\\"] && exec.uid != 0)\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1643639113864,\"updateDate\":1666888163135,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ejk-rbu-v9x\",\"attributes\":{\"version\":3,\"name\":\"passwd_execution\",\"description\":\"The passwd or chpasswd utility was used to modify an account password\",\"expression\":\"exec.file.path in [\\\"/usr/bin/passwd\\\", \\\"/usr/sbin/chpasswd\\\"] && exec.args_flags not in [\\\"S\\\", \\\"status\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068383,\"updateDate\":1666888162106,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pej-frv-8lb\",\"attributes\":{\"version\":2,\"name\":\"java_shell_execution\",\"description\":\"A java process spawned a shell, shell utility, or HTTP utility\",\"expression\":\"(exec.file.path in [ \\\"/bin/dash\\\",\\n \\\"/usr/bin/dash\\\",\\n \\\"/bin/sh\\\",\\n \\\"/bin/static-sh\\\",\\n \\\"/usr/bin/sh\\\",\\n \\\"/bin/bash\\\",\\n \\\"/usr/bin/bash\\\",\\n \\\"/bin/bash-static\\\",\\n \\\"/usr/bin/zsh\\\",\\n \\\"/usr/bin/ash\\\",\\n \\\"/usr/bin/csh\\\",\\n \\\"/usr/bin/ksh\\\",\\n \\\"/usr/bin/tcsh\\\",\\n \\\"/usr/lib/initramfs-tools/bin/busybox\\\",\\n \\\"/bin/busybox\\\",\\n \\\"/usr/bin/fish\\\",\\n \\\"/bin/ksh93\\\",\\n \\\"/bin/rksh\\\",\\n \\\"/bin/rksh93\\\",\\n \\\"/bin/lksh\\\",\\n \\\"/bin/mksh\\\",\\n \\\"/bin/mksh-static\\\",\\n \\\"/usr/bin/csharp\\\",\\n \\\"/bin/posh\\\",\\n \\\"/usr/bin/rc\\\",\\n \\\"/bin/sash\\\",\\n \\\"/usr/bin/yash\\\",\\n \\\"/bin/zsh5\\\",\\n \\\"/bin/zsh5-static\\\" ] ||\\n exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] ||\\n exec.file.path in [\\\"/bin/cat\\\",\\\"/bin/chgrp\\\",\\\"/bin/chmod\\\",\\\"/bin/chown\\\",\\\"/bin/cp\\\",\\\"/bin/date\\\",\\\"/bin/dd\\\",\\\"/bin/df\\\",\\\"/bin/dir\\\",\\\"/bin/echo\\\",\\\"/bin/ln\\\",\\\"/bin/ls\\\",\\\"/bin/mkdir\\\",\\\"/bin/mknod\\\",\\\"/bin/mktemp\\\",\\\"/bin/mv\\\",\\\"/bin/pwd\\\",\\\"/bin/readlink\\\",\\\"/bin/rm\\\",\\\"/bin/rmdir\\\",\\\"/bin/sleep\\\",\\\"/bin/stty\\\",\\\"/bin/sync\\\",\\\"/bin/touch\\\",\\\"/bin/uname\\\",\\\"/bin/vdir\\\",\\\"/usr/bin/arch\\\",\\\"/usr/bin/b2sum\\\",\\\"/usr/bin/base32\\\",\\\"/usr/bin/base64\\\",\\\"/usr/bin/basename\\\",\\\"/usr/bin/chcon\\\",\\\"/usr/bin/cksum\\\",\\\"/usr/bin/comm\\\",\\\"/usr/bin/csplit\\\",\\\"/usr/bin/cut\\\",\\\"/usr/bin/dircolors\\\",\\\"/usr/bin/dirname\\\",\\\"/usr/bin/du\\\",\\\"/usr/bin/env\\\",\\\"/usr/bin/expand\\\",\\\"/usr/bin/expr\\\",\\\"/usr/bin/factor\\\",\\\"/usr/bin/fmt\\\",\\\"/usr/bin/fold\\\",\\\"/usr/bin/groups\\\",\\\"/usr/bin/head\\\",\\\"/usr/bin/hostid\\\",\\\"/usr/bin/id\\\",\\\"/usr/bin/install\\\",\\\"/usr/bin/join\\\",\\\"/usr/bin/link\\\",\\\"/usr/bin/logname\\\",\\\"/usr/bin/md5sum\\\",\\\"/usr/bin/md5sum.textutils\\\",\\\"/usr/bin/mkfifo\\\",\\\"/usr/bin/nice\\\",\\\"/usr/bin/nl\\\",\\\"/usr/bin/nohup\\\",\\\"/usr/bin/nproc\\\",\\\"/usr/bin/numfmt\\\",\\\"/usr/bin/od\\\",\\\"/usr/bin/paste\\\",\\\"/usr/bin/pathchk\\\",\\\"/usr/bin/pinky\\\",\\\"/usr/bin/pr\\\",\\\"/usr/bin/printenv\\\",\\\"/usr/bin/printf\\\",\\\"/usr/bin/ptx\\\",\\\"/usr/bin/realpath\\\",\\\"/usr/bin/runcon\\\",\\\"/usr/bin/seq\\\",\\\"/usr/bin/sha1sum\\\",\\\"/usr/bin/sha224sum\\\",\\\"/usr/bin/sha256sum\\\",\\\"/usr/bin/sha384sum\\\",\\\"/usr/bin/sha512sum\\\",\\\"/usr/bin/shred\\\",\\\"/usr/bin/shuf\\\",\\\"/usr/bin/sort\\\",\\\"/usr/bin/split\\\",\\\"/usr/bin/stat\\\",\\\"/usr/bin/stdbuf\\\",\\\"/usr/bin/sum\\\",\\\"/usr/bin/tac\\\",\\\"/usr/bin/tail\\\",\\\"/usr/bin/tee\\\",\\\"/usr/bin/test\\\",\\\"/usr/bin/timeout\\\",\\\"/usr/bin/tr\\\",\\\"/usr/bin/truncate\\\",\\\"/usr/bin/tsort\\\",\\\"/usr/bin/tty\\\",\\\"/usr/bin/unexpand\\\",\\\"/usr/bin/uniq\\\",\\\"/usr/bin/unlink\\\",\\\"/usr/bin/users\\\",\\\"/usr/bin/wc\\\",\\\"/usr/bin/who\\\",\\\"/usr/bin/whoami\\\",\\\"/usr/sbin/chroot\\\"])\\n&& process.ancestors.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722069224,\"updateDate\":1666888161764,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"llh-jd2-obf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_cdxqn\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666320581140,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666320581140,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xae-nwo-v33\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_iNwDw\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1666305602255,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1666305602255,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvp-ggu-cvk\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706668670,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706791898,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vx9-lii-nnm\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706690162,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706690162,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xur-uya-vqn\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706656639,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706656639,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"96x-aqb-3yh\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_RMoJm\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665706171079,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665706171079,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"smc-exb-ymp\",\"attributes\":{\"version\":1,\"name\":\"ld_preload_unusual_library_path\",\"description\":\"The LD_PRELOAD variable is populated by a link to a suspicious file directory\",\"expression\":\"exec.envs in [~\\\"LD_PRELOAD=*/tmp/*\\\" ,~\\\"LD_PRELOAD=/dev/shm/*\\\" ]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1665475122471,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fak-u9s-pac\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chown\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chown.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475121157,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ki2-nwj-sot\",\"attributes\":{\"version\":4,\"name\":\"nsswitch_conf_mod_chmod\",\"description\":\"nsswitch may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1665475120054,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"12k-ui3-z4h\",\"attributes\":{\"version\":4,\"name\":\"pam_modification_chmod\",\"description\":\"PAM may have been modified without authorization\",\"expression\":\"(\\n (chmod.file.path in [ ~\\\"/etc/pam.d/**\\\", \\\"/etc/pam.conf\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1665475102566,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ien-7aw-blw\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chown\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chown.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chown.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475102281,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"vqc-lta-u8c\",\"attributes\":{\"version\":4,\"name\":\"ssh_authorized_keys_chmod\",\"description\":\"SSH modified keys may have been modified\",\"expression\":\"(\\n chmod.file.name in [ \\\"authorized_keys\\\", \\\"authorized_keys2\\\" ] && (chmod.file.path in [ ~\\\"/root/.ssh/*\\\", ~\\\"/home/*/.ssh/*\\\", ~\\\"/var/lib/*/.ssh/*\\\" ])\\n) && chmod.file.destination.mode != chmod.file.mode\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1665475100348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m1y-sk8-b4c\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule_xkrhu\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129615755,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129615755,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"19v-30b-0xf\",\"attributes\":{\"version\":1,\"name\":\"dummy_rule\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1665129432848,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1665129432848,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ehj-52q-wq0\",\"attributes\":{\"version\":1,\"name\":\"shell_history_symlink\",\"description\":\"A symbolic link for shell history was created targeting /dev/null\",\"expression\":\"exec.comm == \\\"ln\\\" && exec.args in [~\\\"*.*history*\\\", \\\"/dev/null\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1661193980229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"gp1-mai-dlc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_us1_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661183150504,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661183150504,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ai3-b8g-lbc\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test_prod\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182864424,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182864424,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tmz-dqc-yml\",\"attributes\":{\"version\":1,\"name\":\"new_java_detect_sync_test\",\"description\":\"Execution of a java process\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1661182722064,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1661182722064,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ez9-ozl-3lz\",\"attributes\":{\"version\":2,\"name\":\"potential_cryptominer\",\"description\":\"A process resolved a DNS name associated with cryptomining activity\",\"expression\":\"dns.question.name in [~\\\"*minexmr.com\\\", ~\\\"*nanopool.org\\\", ~\\\"*supportxmr.com\\\", ~\\\"*c3pool.com\\\", ~\\\"*p2pool.io\\\", ~\\\"*ethermine.org\\\", ~\\\"*f2pool.com\\\", ~\\\"*poolin.me\\\", ~\\\"*rplant.xyz\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1658502077556,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tef-sab-thr\",\"attributes\":{\"version\":2,\"name\":\"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001153179,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001158687,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wup-o5b-tjo\",\"attributes\":{\"version\":1,\"name\":\"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001152681,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001152681,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"c3v-vla-rev\",\"attributes\":{\"version\":1,\"name\":\"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1656001148856,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1656001148856,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yel-nbl-2pj\",\"attributes\":{\"version\":1,\"name\":\"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1654691372829,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1654691372829,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"},{\"id\":\"rp0-hmk-9c1\",\"attributes\":{\"version\":1,\"name\":\"ip_check_domain\",\"description\":\"A DNS lookup was done for a IP check service\",\"expression\":\"dns.question.name in [\\\"icanhazip.com\\\", \\\"ip-api.com\\\", \\\"myip.opendns.com\\\", \\\"checkip.amazonaws.com\\\", \\\"whatismyip.akamai.com\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020337230,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"q7y-2ci-hkh\",\"attributes\":{\"version\":1,\"name\":\"paste_site\",\"description\":\"A DNS lookup was done for a pastebin-like site\",\"expression\":\"dns.question.name in [\\\"pastebin.com\\\", \\\"ghostbin.com\\\", \\\"termbin.com\\\", \\\"klgrth.io\\\"] && process.file.name != \\\"\\\"\",\"category\":\"Network Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":0,\"updateDate\":1654020335889,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ntj-rfs-mw3\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1652008845797,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1652008845797,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dyn-u7u-v86\",\"attributes\":{\"version\":2,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997888388,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997888544,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mlg-yxw-uig\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997887223,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997887223,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lq3-t6t-xng\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997886363,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997886363,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"1hp-hpr-4ez\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997885869,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997885869,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mt3-pks-n5s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884985,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884985,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"r4a-yvz-rj7\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651997884150,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651997884150,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5k1-gwi-0aq\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651943472022,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651943472022,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lkj-jnq-r6s\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651915815493,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651915815493,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"mbc-iwk-zpb\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651912470539,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651912470539,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fzb-lli-m26\",\"attributes\":{\"version\":1,\"name\":\"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1651867150336,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1651867150336,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"9mk-xxe-lpw\",\"attributes\":{\"version\":2,\"name\":\"suspicious_container_client\",\"description\":\"A container management utility was executed in a container\",\"expression\":\"exec.file.name in [\\\"docker\\\", \\\"kubectl\\\"] && container.id != \\\"\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1617722068555,\"updateDate\":1651671394200,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ieg-lmk-cgo\",\"attributes\":{\"version\":2,\"name\":\"kernel_module_load_container\",\"description\":\"A container loaded a new kernel module\",\"expression\":\"load_module.name != \\\"\\\" && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718705,\"updateDate\":1650371511241,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"lzx-kkv-at3\",\"attributes\":{\"version\":1,\"name\":\"ptrace_injection\",\"description\":\"A process attempted to inject code into another process\",\"expression\":\"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request == PTRACE_POKEUSR\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718540,\"updateDate\":1650293789265,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"foo-pve-qbq\",\"attributes\":{\"version\":1,\"name\":\"kernel_module_load_from_memory_container\",\"description\":\"A kernel module was loaded from memory inside a container\",\"expression\":\"load_module.loaded_from_memory == true && container.id !=\\\"\\\"\",\"category\":\"Kernel Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1650293718365,\"updateDate\":1650293788418,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"irg-o45-pxz\",\"attributes\":{\"version\":3,\"name\":\"example_agent_rule\",\"description\":\"An example agent rule generated in terraform\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1647036168203,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1647036377676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rsy-7jg-hqm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392938634,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392938634,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m39-rre-anw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392919175,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392919175,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"4wd-unc-xof\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392899126,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392899126,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jhk-qpj-jlt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392475857,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392475857,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ruf-aic-d4j\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392453588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392453588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"jtf-zrn-0ph\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392434263,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392434263,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ijz-1cz-bms\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392042558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392042558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"21m-gs8-p43\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643392021741,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643392021741,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"in7-ydq-pbw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391998597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391998597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"v8v-sem-rmg\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391745920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391745920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kox-qtp-cbn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391725233,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391725233,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"thp-evn-3gr\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643391702920,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643391702920,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hx6-v0z-9gk\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390450706,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390450706,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n8j-9n3-urm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390427444,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390427444,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tkl-mjf-is5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390405807,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390405807,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"up2-fhh-bc8\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390171673,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390171673,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"vdu-0rd-lnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390147278,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390147278,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dfb-wz2-0ka\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643390124588,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643390124588,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"7vz-wdj-vwc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389998703,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389998703,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"qls-upn-1vc\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389972825,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389972825,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rxo-lya-bqu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389950224,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389950224,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dm3-ip4-rza\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389929035,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389929035,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rzs-ccq-4qm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389773436,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389773436,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wa9-zm8-8ds\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389706550,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389706550,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"alm-sgy-vz3\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389645597,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389645597,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dls-vo9-rqx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389575084,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389575084,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fyz-u20-nvn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389549031,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389549031,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nqv-0et-fcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389523942,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389523942,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7v-36z-wue\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389502800,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389502800,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"y2z-ffa-zys\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389479547,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389479547,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cym-1zi-nnd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389428402,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389428402,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ip9-wgt-q3k\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389406698,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389406698,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"t9d-zbo-2nw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389381751,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389381751,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kaw-0h7-dji\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389356453,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389356453,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"m4i-otg-jnj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389335243,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389335243,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"heh-lnh-xwm\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389226802,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389226802,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cwa-5rh-qtd\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389204108,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389204108,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"e5l-xtx-hmi\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389181761,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389181761,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ebx-lyj-r3a\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389155207,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389155207,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"xac-4if-49b\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389130549,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389130549,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dh6-bdu-8v0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643389106392,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643389106392,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hkd-6dr-ify\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388960762,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388960762,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"bsx-fod-0xj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388931383,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388931383,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"8jt-x9p-yoy\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388907818,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388907818,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rhd-qao-dub\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388883010,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388883010,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"j0f-fhi-ab7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388862340,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388862340,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rvn-u2c-xm4\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388843151,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388843151,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ldn-agb-3fl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388744863,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388744863,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cyr-g7t-to0\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388719895,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388719895,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wnm-xkk-mat\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388693095,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388693095,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"moo-kuq-zbt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388275282,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388275282,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"wzs-moc-ji9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388250051,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388250051,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"uw2-d3y-5h6\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388226579,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388226579,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fez-txs-qf9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388201323,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388201323,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fga-mna-xej\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388177724,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388177724,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"iyn-7sl-swn\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"go\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388157048,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388157048,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"p3w-qyi-pbo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643388010676,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643388010676,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"yyt-sfa-fck\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387597089,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387597089,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"5z7-fqq-siu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387573023,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387573023,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ivz-amj-yl7\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387549793,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387549793,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"lyv-3xn-qch\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387524178,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387524178,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"fpt-c7o-ipx\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387500298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387500298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"tap-fek-5kw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387480011,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387480011,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"u7b-x0z-cbe\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387165931,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387165931,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hhe-gcm-vjl\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387141298,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387141298,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"nt9-5fe-de1\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387114912,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387114912,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"pj0-bcy-euh\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387082695,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387082695,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"rm5-px4-iua\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387057879,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387057879,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"cqz-7pc-ajz\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643387032689,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643387032689,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"hot-prj-df5\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386926682,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386926682,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"q7n-lvv-4au\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386901939,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386901939,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"gly-5wu-uny\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386877222,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386877222,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"umz-fjl-7qq\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386850558,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386850558,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"spq-5f8-isw\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386826170,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386826170,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"dul-hdz-xmo\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386804704,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386804704,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"n94-q2a-co9\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386762229,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386762229,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"x1n-wra-hdt\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386735946,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386735946,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"kgt-kcc-tnu\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386713348,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386713348,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"znp-dul-gcj\",\"attributes\":{\"version\":1,\"name\":\"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\",\"description\":\"an agent rule\",\"expression\":\"exec.file.name == \\\"java\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1643386674573,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1643386674573,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"},{\"id\":\"ily-tsr-dtj\",\"attributes\":{\"version\":1,\"name\":\"compiler_in_container\",\"description\":\"Compiler Executed in Container\",\"expression\":\"(exec.file.name in [\\\"javac\\\", \\\"clang\\\", \\\"gcc\\\",\\\"bcc\\\"] || (exec.file.name == \\\"go\\\" && exec.args in [~\\\"*build*\\\", ~\\\"*run*\\\"])) && container.id !=\\\"\\\" && process.ancestors.file.path != \\\"/usr/bin/cilium-agent\\\"\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836759,\"updateDate\":1636729662344,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"jl5-wjt-58e\",\"attributes\":{\"version\":1,\"name\":\"aws_metadata_service\",\"description\":\"EC2 Instance Metadata Service Accessed via Network Utility\",\"expression\":\"exec.file.path in [\\\"/usr/bin/wget\\\", \\\"/usr/bin/curl\\\"] && exec.args in [~\\\"*169.254.169.254*\\\"]\",\"category\":\"Process Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1627392836096,\"updateDate\":1629226276630,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"8ol-dkr-aml\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_link\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (link.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || link.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"fdf-wvb-c3k\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_open\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\\n (open.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"pkn-azw-qia\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_rename\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (rename.file.path in [ \\\"/etc/nsswitch.conf\\\" ]\\n || rename.file.destination.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"wpt-ba8-mpd\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_unlink\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (unlink.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"7ud-d2o-qgo\",\"attributes\":{\"version\":3,\"name\":\"nsswitch_conf_mod_utimes\",\"description\":\"Nsswitch Configuration Modified\",\"expression\":\"(\\n (utimes.file.path in [ \\\"/etc/nsswitch.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142958657,\"updateDate\":1628512222322,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"za8-uxc-jxk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_link\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n link.file.name == \\\"authorized_keys\\\" && (link.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || link.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"nej-iw4-adk\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_open\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n open.file.name == \\\"authorized_keys\\\" && (open.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"tiz-yss-zhq\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_rename\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n rename.file.name == \\\"authorized_keys\\\" && (rename.file.path in [ ~\\\"*/.ssh/*\\\" ]\\n || rename.file.destination.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"apr-zj4-ee1\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_unlink\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n unlink.file.name == \\\"authorized_keys\\\" && (unlink.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"yhq-etl-wr6\",\"attributes\":{\"version\":3,\"name\":\"ssh_authorized_keys_utimes\",\"description\":\"SSH Authorized Keys Modified\",\"expression\":\"(\\n utimes.file.name == \\\"authorized_keys\\\" && (utimes.file.path in [ ~\\\"*/.ssh/*\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142954844,\"updateDate\":1628512221784,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"m8i-uhr-aoq\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_link\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (link.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || link.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"adl-qjr-lyg\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_open\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\\n (open.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"2fy-aqt-8mz\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_rename\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (rename.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ]\\n || rename.file.destination.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"},{\"id\":\"ei7-n5e-rvv\",\"attributes\":{\"version\":3,\"name\":\"pam_modification_unlink\",\"description\":\"PAM Configuration Files Modification\",\"expression\":\"(\\n (unlink.file.path in [ ~\\\"/etc/pam.d/*\\\", \\\"/etc/pam.conf\\\" ])\\n)\",\"category\":\"File Activity\",\"defaultRule\":true,\"enabled\":true,\"creationDate\":1606142936138,\"updateDate\":1628512221276,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"\",\"handle\":\"\"},\"updater\":{\"name\":\"\",\"handle\":\"\"}},\"type\":\"agent_rule\"}]}\n", "headers": { "Content-Type": [ "application/json" @@ -54,26 +24,5 @@ "unlimited": true }, "id": "cd6f56ab-0bb2-6cf9-9ca4-3ceb6ee894b8" - }, - { - "httpRequest": { - "headers": {}, - "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/sk6-sni-wfh", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "headers": {}, - "statusCode": 204, - "reasonPhrase": "No Content" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "250bee78-6d7f-affc-b64a-6f5795a43044" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze index 6578c458985..9c2278bbc1e 100644 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:49.946Z \ No newline at end of file +2025-04-01T14:30:59.240Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json index 6eade187964..44f02bd4027 100644 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json @@ -8,7 +8,7 @@ "secure": true }, "httpResponse": { - "body": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXtz4zayOPr/fgqEdys/W2cojT2Pzcw9s3sdW9n4jMd2WZ7N2Yp9WRAJiYhIgAFAyZrjM5/9V3jxJVKiJb8mUaoyFpqNV6O78Wp0/z/g+NP52cXlwenle9APsOBAUCBCzMEIRwjMcBQBQgUYIsDQKEK+QAHABIgQgSMoYEDH4CBJACSBRh4iQKeIzRgWAhEwwyIEBM1AQiPsz3WpAZ2RiMKAd8F5hCBHIKYBHs0BSyPE64ofUQZGaRSBUUp8gSmBERbz7l+miHFMyXuw191/033pMv/Nm7+oUt7/BQAAXICD9wAmCWQxZZ6qBqPAE2KuvgMQIO4znAhVygGRtR1IXJAwqkkAObD5ZNMgAZgIxKAv8BQBjrhsgSlthCOBmKlcN4By8OEDcCJM0hvHwNFNwnS+9wDdIL8ra+oSGCNZw68OhG6AORxGyHkBZMqncRJBTEwSpgEWzjX4/nudXYi5p3J/98GxdZgCgvdgBCOOiuSQuX0ReSmHY1RHh8sQZVjAp3GshhdykHIUSA4x46Vwgnvru8S11TpZ5yAbc28UwTFXnKgIxCUhIue6XV8Dz6dkhMfZ+C/tcwA0dsqg/AIWuUAyNU0FSDkm44xQ65OBJohoMiRQhAq3h4TfUyXrf4OubJQiisZW9Pge7Jx5hxf9g8vbM+/y4vPp4e2Zd3B+3j89uj3zLo5+ubg98365ODs9+fcu+Dt4KbMnjPqI8wLZvyuSvS1FpZB5soy2RNWy/ejEVOxSoKZqRjfQqa5KSV6q0tt8uX4OBJ9xD024xxGbYh950PdpSoQn6AQRmUKcN1P/4JcB6H8cAJMbmNxA5VYjUSlhc5J/+Aqc3hSyHktJjyOfIcF7aMK7MIZfKIEz3vVp3DMtMg3qdToF7i6pBNVUZ4GUqq5MI/RoInqBnjJcOEZE9FA8REGAgt4Qk54CqZFegcjnXKDYTRgdolb4yE8ZFnO3dQ2mF+0zCAZ9tBQ962F9P3swiXuY/IZ8yd6Cevq3x1LiK9yUM1VGELgh5cLFhAsYRbXffEoExASxJqx6hPpGW4gfpVwgZjrZQq/PuIfjgDfN4r8MwPGno4FicB9GEQrAFEMAAUFiRtkEpALLJcT6TK/mJjk3av6bjZEiu58y1d9olrh2nVOYqeVkpjJ8dTp7b99199+87pq/vQgKxEUvRgK6ki49DOOcvXyGAkQEhhHvdZwXoFjA31529/968MvAOzw7vTw4Pu1fSCV11D+9PD44GXgX/ZODy+N/9b3PF8c1OXudXqHwf+DgQ6fNCHxJGVo6BhLh2xsFSX5NfUURMe9RmIpwv6fU0D9ggl2z6mxFpiHk6O1rL0A+DRrXWhqpdqWlMwJMRpTFakGyIbHKulXXXLvYUgQNWnTRR0zIgWxeTx4aDNUzWU8qdO8Eg4THWADKbE8hSKjQvBjNQQwj7GOa6pXDyq7PMAnojLfsvG14F90gRYKdHc1PcRBhgtRE1klZ5EM/RJ2cSKXvPImw6Di74Pa25qvuVMfZXU3FEApGaewx9HuKuKiVKnB0OgAGQS+jYIDU7ghmBYCAxhBvwCYB4V1VA6aksCkJMPcpkwvRWG1DEtwVKEJjBuMuZWMldgHpGjSYJAqzBfvQOKbEI0h4mAiWykZ4cljqKVBRHWCHxDDZNaVEcy04WG3SdFkACgH9CS8x3/rUqduvySbI/seQcx+qXdoowUTR5MuYwWH2Y1/+YikXFi8h6tf10u3OvySm0TrtKJrIlTkcCcS8AEV4ilj9htfiMjBjVEjp4ylPCiKntrwgm9LXp9utmyGXFtRmPS1XyxmCFMUsAcBO3QJTxEnDmtEo9u6Eqsmu23Gudwul3d7W7RG+6iWrKVXm6wVo2uNhnKUZpcImOmr1Yj7ItU9EfRj1IjyUGNdZdbulPtn1az5h/QanUC3B/Ahqfhn7vvPCGfq+cy2barNA4iMuKGuduVTz4h4k460EJ6oXyVyElBTb/v33+bh3caC2Lau3K5ahPEy8Kts08l5xWsCE4wABOrofvtupE9iVZK/mklWMqVO7ghimOAoMW7BUknB3t4Z4TmkLk49nzoeSwNlC2scRTmOzIF5NdQb9SQwTT7bOq2i5Etk/EjojgI5GiHA8RUBQGmXZVefaK8lV062dCg2hbC3ym6GXH6M2q6h8fZqf4flhTGt7OJA9U4dzeTalyziYIYbyowdz5AAIJS4XkASQBYoeKzveRssVNRgAO6q5FaVjzh14CAM6y44hxiYNSmprUY5LG2Dg9LhkmylOZtmGrAwxqTGrfi9AFOdZvg0ysNZuDR/VPo76k/oM1S+qzjGjaQKDCjTliNUCY1oDDFB55zlOIOezcrP8EI5ROasf1uAZELhuIniduFrSf83LgYnolOmSTMYlAEviUjolUAhEAhS4aTJmMEClz0ShF2pIcFKuYZ7G+ejCZJIPAR72OIFJoP8tTkpKO+X8GMi1HlGbi24s1+DffSh+jgs7lztKKJ2Rb0lC6ay6LNhK6FZCn0pCiwxZFNFUr8UKXyXk9hY04I8X8Mc4aLEhrZHoCJPJtyPQsrV3lOdSAbe3IC+iSNHWxW3Vw1Y9PIR6WEt45a7Xm+5/M/JbvncrXLyV7tnsRdyuvXAr64Carf5WaLdC+xRCWz4T8BmCAgUeFODv4N1LvpZIM0RgXHvk/iwleke3947yWJ2Ti4VsZ+WtgD8bAV9LhFPybS2qdXvvKMJbidtK3POROIFjVGu18EwlTrV3K3Fbifs2JA4L7MPIY2iMuWBzD90klNXaMzA0RgEWmbGLxsyKALYIEOLpfRp/qDtAhsbK8OMFcEw7VPJ6wczD3F6Fkyg2t1bhBM09xadeDP0QE2Q+aONBm4DZL2PE1e6qixIPCu83OvTUHgFT0nzXdUBASmAqQsrwFxSA3+hQG3UGgSapLA5wP0RBGmEyXknENfRT7c2WuU/nCaVRTzYiu0aXekoCup0FkIDDO6uuTH5EWXyz4nLeXfvaY0UrHlKK70OjNmuDtdmx4WLnebBjzTXOc2XHRznj37JvmX2bNlzPgXvrNlcbMG+p8Bb3GRtU9WBysuXiWi6mCXquOrjpxUztA5ky/9ed12+Z8pthyuYD6WfAlg3HzxuwV1W9rj6a3qCyLS8/Li83n8w+B16uP4fdste3w16Nx5DPgr1qDx237PU82WueCBrLSjzIxvU8ZWkDIpgSyTraNwNk4zRGRHAAOac+hsJ+KZTK1+ew2ldlfpK6CcOUYTGXFAgogQK5EZqqg9mvDoMkoPGNuzceugkcq5fY9n1V0fSeCwZFGv+H8BN71GYgnEdlyN4i0t4i1v4i1n4Bi2AfhZCHJjlHPKEzxO46SIhMawfp3AwRIlPMKJHjAqaQYVkkBzEUvh0WP2UMEX8OVIEbDo9sjh6Y87OzE+/zoH8hR0UnLk6y3+cHg4FMHJ2dHlz2vZP+v/onbXqessjT/O5x+af2LPgyROBIIQGNpFQeQyMkO2p8bwD/88WJfSe5Ya/z42D1FjBl9T4nFF1Sgm9c3ayGZ6S6f12J09Eolecfbd7OBFDAIeTI4yGKIvOMI3/yWRFoiw1gkkTY194qeAJnBAUAAlXGC/3HvpZ7ASgDP19enm/+8rY4deT0LN5PKTUHeei8KKj+ggZc/CTB9UABBfbdxrJqMw2b6675ZMGurqsh45fGIpsr8xu/TBq/iPpMER72MMGCwXjEXUFpxHXDUz4f0pu6LtV+sdWMcC0dJjx896oGzhYbbMG1+FE9ftwMXk59n4eQJTVZE9pISVYtTPFL82jN61njCw/fNIBtm4Gco3KMuz1NX8hZFiddmy+XQ+ZnOJaUsAl1zWkTdEayRIYTQIGy3xlyMMp+YWZ/Ij+k9neUFRVx+yueFJDjCcnrjicCxVmV8dT+SmYZCkMwkDuXLB3nvwrF8gihrCAu5DrB/J4T3/4WNPVDm0ilLreJqSkqk06mETMFsM/TuASAHL3ar0Levq5CbCUZS4Y+JSXApFKyZIFSWr0YL0HSUjLAzKcRZbwCrFYdpMUUItNS8iaBJKhASiQZQV/QMiQutWNEo1IB6ua91KgQwRJGSLnAJUglZf2B5KDfKC6Rz7JGlqbjar/j4E2FxBrSFehGvecvtTGejPCIFiFyEVdKlxpEaJgmJYBcOJcAaVyhFC31MoFcoDJAhH5Y6laCyWReArByChNRGVEFG5Ug4qaYZAhGsqoSLCUV/uTo91IyhHsVavIQ7u+/rgG+ebsIfPVDDeabvap48ZChoAxIS33hlJVIuiAkUsmW08GwUkS5SgH9chKXxlkgVE7yUvFy+0vLcilYOZUSH5YHWlR7YfSWTaZkUSxTgn8vp6sikHJU1gWzUsdmIa0kYYwtxNitMEqFc71bPG23W+UEMkREYTWsppt4zn+P1O40pmSsbWgSysWYGa9YWTnf7TSWJNePcrUSDJ1ijnztLBFcH6jNMgIudHbvUHLWnMayvzqdZOzNYNTG/0aAIiSQpy04vIjaU5WGXbRGD4zfCaCzgYiOtb2YybzGurr2XC/3p5WKWLmaUICIjnuzKmBYBUSQi4iOS7ARxFEVxue8CooR52r7XcJDfspQCQRTEXarmYeUigXgBDGigNfF8xq1TMpcEhTORgqnJ6s3mgFKIjr3Eoanq1wPSBwcobEaQYOp3RRps/z1x6+yt1Qbv0bL//8Ee7xEB5h4CWIxFpK3vgeHB+fe4N8D7+Do0/FpwUXGEhpgJuZeghPkQSEXY7Wb7XPrYgccSXwg8WUvIoqF3keWM69Bhx2pwX3UVU1BRLC52lCD78H58Xnf+/HzT95PJwf/9A4PTr1P/Yt/9nclrZTHvHLWGyxW5vxgc1pCGvuJkgM+YyPxsoUuyIlYJMpalLwvCrYhw9/BS3CfZKCCIOEFaZwsP4s4yhHLzqskAGY6M0YxZauPHFbZ8ZUdLKmqXVlTk4cmn0YR8kWnxfnLnMAY+8pABDHrNXTJPVDWNY2jzl1MIUAXYpyJqllhZc/vOikg4feioMtpN2FIbSRfgCJU+QzNzuJzWDfodfTH66c7NX8A+9S7juyMYVF/WZ0NrHaLJOgDDWyjt9J7GNb79Fv6aFzxwHcpoKVh9kqfnK2dd279iX4L/kSV26SIN1hZf0SMoAjENEiztyAR5iJ7CSJCBFTue7qbUOthhSYLXT1xqebrnV9d+y9DBPTXko/J1n6eWjbWbD1btpbFvHZxrhorP0pBHTMY3387ZentmpkK+dEbYuGp2/emBue4YIhF+bYeAoJm0dxuLTacMQr3LgVjdUy8NEkQ8yI4R6y4Iy4g+SEkY+QJHCPwn+DVS17CW7iuaiilhdl825zfg4F3/N+fBxe38u8/L87V37PLn6umgZnKZuOp1s//cdNCqsd+ssxD7T8Pz5+/f1rrj7Y7pnSsRlogRmDU82mcpAJ9sv5qp3v6fJX4yPrWdo1zbd4L0AimkdBObPXlddXx7QblrR6JEAcBItphPFrine7AYCohqfoFrHinpFGw8dV34UjpK3C6hS1EeVH21emFNEaZbUvRT+QSv5GrCVOIJWFufVf6TawEoFD3u5JSXED2AA4UCwpne8+7vefd3vOCWme9Sr/jWtOPFpYfmEwRHoeeHOpmP9qZfZDViRUTLnMYraDHukTt37NY4uYHL2ZmGiSUjhA7PjfWUBcoieaX9PiclwFHyh91Bfjp4NBCBgSPTDkt9GXi+SHyJ17Jy3VlDjk6HYCI0kmqj6MCSqyT7ONzoLLbeBgradKoFhu8ZGMfkhB+wYn1k40TFybYpuI5TrpyYy6zG5hqEE7K4THkh1kIBeYqC5zAGOpSFo9s8oPmFuRTi1TuobHsiQejiM7qp+K+wgCCwdEI+8Bgmg2PLWd9+pWX5La8so9cuwxiTrdz9vny/PNlt7Ozs//m15fum+vbnf1fX7qvr2/3roLbX/fcd9e3u1fB7lX3H1fD3f95/b/dzsHhYf/8srLpZwXH2szZ2dv/21V393Zn76X+87f9q+7er2/dd9d5WtZj0v+/Arz69aW7ZxDeyQxvf9CJt++u5FrqqrvbgpV/g1NYtfTy9FVXPVvLDNnB1NbQa7sAsDm2C4DHXgBsDb22hl5bQ68CZGvotTX0Gm4NvUzyqQ29simmsPKtNaKSS8rVu4bf0mQuEGv3LOG/NLJcZKMhpZN8t2qWqibbGkvR2lgeeq6006SdIe3kqOZFMyWq2VBNhHrSMNOfmvmULrHznZ3qsllOTXB6bitMa2pGs5OZncfMFGZmLztx2TnLTFdmlrKTUzYnZVNRYQayE4+db8w0k80uelIpziX5FKJmDq1eMoY000M2K2gVZ+aATPUbjZ8pev1PptaNNjeEyHV3prKLKjrTzEYhKz1s1a/VupmyVZS3qjXXqFaRqsYX1GamLbWSLOjGTCVqTZgrwKLeK6q7opYrKjer04wqM7Jv6W/0VaamTP+VUjK6SKsgo3lyhaP0TEG9WK2iOaigQ4zqyDSGVRRKP2i1kGkDqwOy93IVcVm5PK3Npfdwjv4n36NpgN5kFf9kq3tH7aMc/UVtdRy1J3D0vsfJdi2FX3qv4pi9hqP3Io7dezh6r+HE+Z+8NrtvcPQ+wZF7AkfvARy93nf0+t4prueVYWyNWUAh0pLWaa7RaZJuFhTBYYu9/uQH7iU0WDOI68d0iBhBAnGQ0OAxY7niPDRWMZrrJGtQF9OaSK7qHuQuGQoGK3gb+/VPbauxdLDlaNvqShGyZDU+ZSggvNQmg0QTxKCa74DTiyGBY6R/j6IUEeEOsW5TnnRqzI8imgYuoQFyi0UYHnel0kCuz7GCGv4of3EDhqeISQ6b4kD2eVZpLoywT1UdGeXgjPf02bCrWjCDwg+Lg1//TeUnY0xuXEzUWa4aHUajyDQ8I3wqKPdhFZwwmlAmVLT9Kk4IE0Zv5k0lS3FX2hW5MRIM+7xCbHc8Qa5292iyDNXOVd9tu4ZwuguS3gKx2JgOuCEkQbQwfPUlTmEa1Q2lbKAvNHcqqB4SqQNR2aXpGIsIDl2WkuKXvCRVQ52xmpZcNeARJshVxoZ1JRgvl7pzFUJWGXBhwLYWbX9OLbl6xaFs1jxts7bEgSggaGaQjYFbbr20/jLi7t5CIzzsGQO7bAWRmpPwAvxOjkQe0lD1AcyXF3r0R3AdvKo/paCXk4K14yYOW9uLRZMj08cXi3qvpVuxWOzRViweyXFsWzFqfh/zyFLU4BKttRCVSmvnLrV12VsB/ab6tqo/ywT0ruJDYcPabFF0JO4msiPzm3orgcDJyDM2OC8yexxP16Ahb6ugYVL6XMpukIl24EZGHkNqQY2T6WtTgXfR/6/+4WWxOgZnSylfavFXZwQjnxI1wvWcARPR1duVoBtAHClvYze6nW6ExtCfu3EaCbVl59wcJrgzyiZyb7XGOK56eJy/NtYjqV8HlAf6Hke35vlxW5PEmr6NGI290ivOlvwKZM627z9b9U6XW2yRzCtYetclYLVjqwawTRetCfa92F+36/V9jHGjR+lHnsY3e7hYKqrJn/R21l7s0XbWVv+1lZYlrq4fWV6a/Vq3ZvNSeW0dWbcufStE31TfVvXnHoVomW+FRxaiRofaWzZf7NGWzdV/rdm82df3o7N5k2PvLZsv9mjL5uq/1WzOWRtnKsaplAn2R9RzeZlNuVCgkv1R5PIE+XiEfRP9b3Pv49kjo5gG+tISVB8EKT9BMWcd9cpJd4W3cBgkyeVFmNc+2GnlNWLyAE4j1CCCusfksvo2r+xycx0vINxDJI0Ra/SBVTBPOjodgEXsNXq0+LxOokMy78r/+dTvmgvRrroeV90t5RHzROUZXPyrZm/c5q1cFHjG/46XkpSnMPIiPGSQzT0pOHWUuAwRODnyzi/6J2cHR5nvdoA5SGiSRsr/w3AOoDpZ1s4hik/acYRAgBnyxUYHJajk1f2rkzfpQ0c/VVfapQDOH6234I4IDxMYe2iYjLyQ0trl24mmlMHtcgokZsb66Mfzn9bv3zAZdf04kEg/nv/kfTo412cE/QXBxub1YNaMbqsOUkrQ3BMpMY8ltT+32n4qVHBpUMHO4b/67v7L/Vfu63d7e7vAZM1V3/q9zu0yc+cZg8/HR9ZhU/49xYo2ObToB67KHJ1/nhz/eOhdfj49+PGkP2hDnxjFo0BHMqnV+Oo7oMPfkC/u3aOi1NWqglpnDR9aiXaMCVZu7VY+tTanbOoZcRonJd1tSwGjlPgymz4D9GnMpz7vBi1M3ds+uVYT1CdM8JFydNeqg2TsJZRGnn4JXdfJfGZmiNNoqo6jpQpXhG4MCKJiX/sCTzd6V1r/gPqr04kxQTcxM6+gvzodAgmVPelSNtYQniYJZaKE5b9SOFk62VdpTHUSiVDZkKG8lNF+JQelESbdGOkkSyJIRPdm/mWzN9exsvQNKRfeqHYPIGcN+Vnrf+NKVnKcypmFvtj8KFmV1+U0ZX5BXHpKjvS3EffUxCl7RqeIRXBed33QvtuSaF6Ig6VCZny+aMlS+Tbto/o3oZiIfJPz1VGGZb09s7lRif1i4lUx8bqYeFNMvC0m/lZM/FBMvGujSgkS2iuOtcGvl9PqIkFyh1ylCkT0euLePBYVdo6lc3hzDF/1Dtj23WtW6Pffl3ak1QN6qeisNx2waBNuVESXh1pGu775y42YdyfUKe1Qb28bbNrllsfuc+WmqRi26g6ufdrskuQg2yUkQ0rp1Q3zaXkMK24+Cizw+eJ4/QH+P3d7r1y3jegmoQ2S1P0tGXeca/B/2hFB4KiewSv8e0/+6RZ8F+Td5tTXd9MBVlt1wvU8KX9LZay6R5DwodBdJb7agROZbYMH4LuNTtc+2LvanN5ZRDS5d5P7HNkyQ/m9/b91X3Zfdo0668RUBN10mBKRysYUTvVXj4mHbiR1m7d4/cJ3u5ZVvtLuTe84ZSpeKTJeOS/AlSKk/lUk5ZVmziuSe+KhqrXckOxKuYh3peB/6Mj8FhJAATPIZfYr+PD/2Z9pImsoZ/3pg0x2dLWFWvMDoaviIJlchWG6cq5Xz5rZiKx0A7ZUZO5tyfBNSdB3TyJBchA8TvBoJJfcgtJaFXciK8+ebOl3lvpMyJ6XyNX3SGjPwsZGRLl0A9nifY3xq3vMJ/xEblskZQUPIZu0WqfMvCEmkM0LzmpW82jelcIrYIJmQJelhmdEU6IYVu6p8gw4buOzqrHj9YxRWsMvOM0sf45pgEcmrlrZaWaVqu0WxITzGRZ+qLxPezENmq3yLSqI4RyEcIrAECECdIvMgoCmAtggoRsett3RWl+vkWwbtcfp4rXAGnbbT3eNUONT+j4dTq/FFQ1G6c+IK2qM1VtxxcOaLW+5KOeipnv1Z8NEdbft9TxUytfCKnslJ65BzibbuOdCzrLN3E7FNu7W7N532xvJrSTiVtjK3OFN97cMsrAKyFZhhahHfwfvXvIt++Ts02xK+Fy4p8HEsJ2+Xm1MuJKX1iBqs2nZsyFqvcnZgxCj0QDp+RCj1jDpHoghAq53qsrIIsKkVtJOL48G+my9HHN8Mds93ebJdnUD3CYuFR2NEOF4irzJD7zxhOEATAidkYLxBkgQEUrgxtoPdAi5Ht7Nj1brfHGBr04yFyElHeMke8f5mA7xwIekm8wdiWNPZqZSMTiyqVwwPEGs8nUX7Db4IlK5MPchcV44kwCPlR8OVZQbpkS9R3IYnEwQ584LJ0GYQYG4QeE+TJD5DdNAeXBSWSNssuqw/9x58dUZUjF026h0GuNx/U7+LMbqTZH218tVNLQ89GCIo8DOgusPRXbF//dKqLe611OyJGoa1YLz5MIms+5qsGC0l8gSWR3wNBhygZ1Pg4tdEzgrNYfJo42ioVRvjz4Ap8fn3Bgs9mLOeglkMEay4F7Ruqtwu1S+4Vr50KRVHMYE+hM4Rp52FBMjIlaelp3rLCDPos0OkED+fR7pViwmHnq5dd+2jGtcRScw9kqneY0Hb+cHn558ImzykCEnwgTG3UBfR+aA+ziAW4eGDcdUz4OG9e4U7kjDhz2uujvNm1a0z4HkDa8nVlG8VEiLw50WRd5ldbhA4qaDnmdA4kd4F/mgpG3e5j4D4jY/oltFkyoHr97utih0I0I3b32fA6EbH1o9LE0ad8DPgiZNr3LuQJM/74laAjmfBcsdU1+GyOAByoAfmt9F4wkbtloN/xxAkl3XK2TKNtgu1yy6C91UbclIYXx5G2httKnMa8dA5uJC7VhbEUogjzc+1GkOnKRyDjFxIzxBoFDCGrRoCJ1kq7Dhj8Yh5aKQFojFheQkGjMRdjHdzDo38bG3t+e98XyGBfZhpM0cMOLNu4RDg2ptdW2OBjWyPqXuvkmQrGOMFXnht+W0QrL6OZfYBWARdUipeFbvAB9H+Sx08o/wNLA8d9z3hnGZYDVsHZ+FYNXvHLeCtRWsNQXrqU8RmgWxaZvwDOSwYY/wiGJYak+7k4lHbN1WSfxxlMQmItx0XvX0InyPx1UNp1WPKG5badtKm5G2BkOvrcBtBW4rcI2by0ZDwE3EsflG4emlsflC4amkqO3dxCO2b7uK/eOI+SaC3Hxj9QwEufHCaisoW0F5bEFpvMZ8DoLSdIu5FZStoDyIoFCBiMAw8mZoaMIT6zjHdRJyAGZoCGCSRMYoQBvl5pGJAWXmx8buDBbezVeEwsTiVzFJC4NZGJHFT0MVTrsOmEdkrS2rNtOwue6aTxacxVqtzfilscjmyvzGL5PGL6I+k2QlTLBgMB5xV1Aacd1wG1t2sUu1X2w1OhLtQiYTiXYBzhYbbMG1+FE9ftwMXk59G/12IauOhlubh1ULU/zSPFrzetbQUXVrwbbNIA8u3NbTQ/kFQMFwQvVWh4lXP03wb5PQEcBNQocB14kMxwQE178zZBUaXP9SUbrVTxMkXA9YVpSKa22GpYBsA4ebhIkerlNT+0vHEdfUz4OJ63Sc/yoUa2OL64SJNa9+6yjj6rcNNa4SNt64Spig47ks6ujjubhXg/hn8chLEBWYvASxlWQMaEKV54BJpWQTvLzAstXw/345Fn8xrnkRWK1aRTrPUjo0eJ5cCMaPdBD0XNJtNPQcEpfaYeKjZ+ksUHoGMRHT87QNnZ5BKqksmHoGMlHVs7RljSydxVnPQFnA9QqkWwzAnn+zkdgziAnJnqdLDbJB2nNAoqO15wAbtj2D0FIvbSD3AsBGdM9BJrR7DmDlVBbsvQwblSAq/HuWLMSBz2E2IHwG0ZHh82QWIr4IymLFl4A2aHwRmEWPLwKzMPIFoI4nXwCkpb6YOPB5uiokJuZ8IW2Cz+eQcpU6HH0hiUvjrAPUF5K8VHwesj4HsXIqC2Kfw6q9MHrLJgvx7Qsw/Hs5XRUBG/o+A8xKHdPB8ItJHRVfQdTS08bHL3kR2rHrZ7141PNNbpkGE+iHaF9OUCqgslrqChobz0ZOKERipqvGgj58BY5ym9ZmVTtDTC9mUZxghrwU+t5wnkC+4gVWyQVUDIUfKl+dbJzGiAhubPk+HxwCXRoQyA8J/j1F6p0jJbK/efVAV2/q3Pzdo96FdNxTeg7cU0qOgTsDP2vnj64P/nrz4a87O+ME/Pzx8PP7AR2JGWTo6hP2GeV0JK5+0fWAz4mcwHe75q/eA5aKXb+w/7eVwSmjvvIfu9Tk9EA/urRmpcpVrB0p41f27g8yV9G6wrqyvpiSLrqRwmnbrZItusm9AHOfTlF9wC/jv7PRuXnC79u1ecJL/r2muSGsq/xZuW6Cl/u8J6Wgd7+nMJpzHTs9jx9tIqpnAeHKBS6IdlYam9gHqMD5Te0tQxQlKv3VmZrClMY4h5wjMkbswNZpQ77PAjgNIIrlRAUcP5xIdTXR8egFVyWoE4IZ/JKGrnEuHyzmFDBCJHAZiqlALpJ6C7kcsama8GXJyJ8o96wqYh9BM4Yi7LumhBbMoYJue5AIHKBhOl6umVLJJZAAie4q/LHikkz/CAqGEfUnQH/cyO2/blrXuNqUuOeXFweHfU/9+6m/kb2w7raOD94o+LbbpYgHOg/waSCFU1AACRUhYpu/AG7s8PnZx/5l/78v1dS0DOno4PJgJdLnwcVq+szIBAsve+XsIe7DCK4mlZy77HmMcniKSYB9KCUX0BEwjtT1uQ0dAeNnfc99/fLV6/UpVz2c+VCMhpFM5Ndc4xS9pg9+7p+cmJnn/ODy507BUF/h5cdunaPjwfnJwb8N9lF/8PHy7Nwb9AeD47PTYkbrp73FGkG9s/f8CHs+bfCurFA0u0niJoxOcYACQK2rPaWaQSvXBi0eNtjn5QUnADUvF5Si9Bscy7p+Z3B2+NEbXF70Dz7Zed3v8HRo2CSHqeOoYlItpHNAIuZdxU+damXffQVOhyORJuqIqIUDBgYJp7FcQHiE1j+eOKec42GECriSBZD1fw9SEijfjmqZJZexWaQHjDYQ/Rb+mjOEkj/l7Djlq9MLaYwyJ8fMnKW/yE7uq8f1Jk0T0eg1OaLjchoPF2BD6E/SpASazWZl58r1LqCZs/MPvNvt7DA1taNbhtQq5ZYhGNzKnTVLlXa+DenME/RWD8qtnGBktjlNmXerHNor2K0s3iDtdg3DVOq18sycbueqK3P9tcUsyXxPMwn3KjcvJe65OAQG7R4uaHY2MwSqfRyqR5jppZheYViIutdwrnd3/6AXEUsGF8HAm6RDpF1a1A3sZYhAjqG8Xej4Xr5aOW8wysskudeVdfZ0paqDSqhL0JbdYyhCkMsFz4jWdfBsAOQnFuuZWfZN5tOhMOQ0o9gk4kPXlPQAHj8qNdS59rg4au26g6EAc49DEgzpjac9xtT1/Eg55uB2JbLvvnzz+tX6Hav1hG/58uaHt97b167K7I5J2mv0ju9EeOi7+939d9onvk2/ellJ71XS+5X0q0r6dSX9ppJ+W0n/TaavG5RCfgOgqO2q3YjLgqEsQYPkXqVVEG47XlPkleJnlxWsRLIB9rJd98axaVaq2noNWzfUq4MeaPLIX5COzK8FGle44T7IO8ZcsLnHUjJB86XT2AG4MNhAY+ekbj2tLTng4Eh0bXO6si0Fzde5uvr5Y//f3snZ4cGJ9+ng8Ofj0/7V1eDsp8tfDi76V4WTH3v0c3V1mDK5l/8XYrKCq6uLlGi63lNhlPhoaYH2WOrqFzp7+/rV/ikNUOvS25W8WBg4vVws71JFx4ERGCjGuLo61vcTy4v6ptrVfjSepm39m7uIoznLaSOWA42a5bXC+VQyeVfimPbzs3UGcEl5rcgdwbkHhYD+RHneW37km4UNg8IPETce+VQhQBcCCu771iJ4zSnvV6dzjgQW51TA2OyAL6hcJkuIoAb0MxWl9H+l2J+XIL+lXHiBj7wiBshRHEaFPkoGjoba1CChNBrAOImQBV0gnlC56TWAr06Hx0NFi5tOfZqIKC4BVNQEW3/BgKB8oXBMpnSC3EsoEKuUXC3YpP0YAR4PC1/fn16efArzIwVTZpGuLbglHaKUL2eR7Ggwu5VRzGLyyiVJoG2a5Op5JO6HXyoEg5yhhFGYhcLoGW3yfsKGYmyh6saiF6U4eP/SjsgEsSEqZtVrKEqiOegljI5ZxoKJEKAnsD9BFhfHCWKcEihQyrOxYoigWQUT8okYC9AroIWQTREXoKc8NU5hZIf6dVrB4yHoWZcdBjimUYAI6EHE99+8tTlxNEUsz+x09CC0G2riexGCk7k3qlW6l6VoFkOG4ISmwu4WXrv7e2/33+pTz1RtBkfp6nFuXIj6YYBZdV/E57w34j1fGSvoOG45mvzHmIrqMzmN9QKYX/tNfjXkalX2vtvm4ExSqeiHp4lSEtEGBdGh74wLHuX1kFDicgFJAFkAZvB+7PJqTzmyY4eU+NnJAF+ADDNzTVfBaw6s1vcq+ScwW/2znRRxOEJDSsVKWRgYxHyt9nCLNOWGuGEl9e/BZf9Ttng6pEQwGg2QXE/p31dXsqk/UtrCiyz3QyQ33oEnIJ/owLGN90EZMpDIShm03abfdRY0axk5E/ihrI0X7wpK3pp1E1poPI6U7vEMhofIiDJfuXOtHe/+iUQHBTSg3TlpD0ymnpVdb1R4pj1dU0HXFK6NA+T+hXM8VZJh62q6Ptd3Jx/kxPlj//DsU98dfD487A8GrahCOBZ4ijzBoI/JittizIHBK7pLTjJzA8oA52Gg7FkSe/FSWDnJhUteyRpU22m+B+33P66+Ue33P66+Ue33P34eXOjTG42k/kVdVAzgbAdCHZllpgZBNFVjFk3NoSCMg7evHeUMTBYif431eU8UBcP2xz12W8kFrY0ZrJcMvsjtWiQmgDbj+jRfvEl0ssrqw9nLmtus1ZRddJro/VtjyGeDVTDakeylpr+cC8HCdfb66qjSV129UkkLOsh0+Gf8G/QnspfnUIT2MvQz+T2lAgVmWys/mS9mO3p0cqJzGvAnNaXIYkyWH81bocXvVhlfQm5zH9EYYvLP8/Pz8hL7EErkErzN0KAo8kIsVczcC1CERMMZhjJI+1kjKt14VEJeg+FKD/vUOEhdz5zuzq/BEH4Z4esOD3d3bOt2/+rsNgmklMh8GVRYKN2VAnweN72EPAB8Hg9phH3likZxpzbTCwtUsdfNArIxUp7/VdRakraIRt7SCCsi9eLY7ZiG6GWUrfbONLDWpI/FB6vO8Fdcl1ZO61ewUPMlvL5312tSeyHftAX7AJzM5rYldRNGZQGrV6CKwAa7tBfblMINd5UdU1ex570O84u38IW4RctvWHZbXfHxCE8R8/x9D8cqyvt6Rza6GODvA1PMSgqtmhJKa85T2r/BAnQWpwP1+dDY7zR9//WQEk4jdP3+/VkqklT0iU8DTMYffr1EN6L7+fKnHyzo+v17mWyzkuOhZ93hosCboPkSR5mDwc/5Tl6iPt5j1IK7QpKHDqm0XOqpCmjfhi5p8rCpb9I5D8uyWgJZi5cM+tDe+etHpcHL4pOOSua7bt1RqXfPeD+j8sSe+upGsWk18ISDWFk03XkMG7wprDmEpaa1c9O3Zk138T9eN5RNrtqecCg3W/rUFLU+VzS4nHrCsWpw9LUdrgcdLrCZt6i6wWx2E/WEY1l0xbTeEDQ6mFpzEKqatJWzqDXr2lQ+mx0GPeGQLpwn3HlIG10NPRWZG93NPCWZC25m1iRzk6OaRyIzFvosUpvi6oh0dUQ2d8iFcHn2zcBcv+Uksjgwoyxen85LTiO6CSPjKimKMI2lm9irQy5/qtnR32kSa0HcyPMRE/qEA3kCxglimIyX7VFPQCFLlY91CeZN0vpEvnskByT8HudRT7aNl95ZJBP8rHwdPcBN6uIuuWZnXN04/2UpJb77ULzNT9VrX9eHbnHsnboi6i6o77Wwb3aM6p9RGvOQVmdJzdLaeHbx1NLaHFjwzy6tj3J6spXuxxrTh5Pu5qX70wr3krh0K2S7VE67Q6gWpf6RNUZjj+4mfGC1AN57gX8omtdLdbuNTJN8Nx90Pql8N208Vh+WLQuX2lqGtzPYY/N7O15fl8Mbj4e3TA62TP7MmBxsfKzeJArLDtefVBKWR3S+44Ku1Vl4i3L/yEu6rew/NsXbyf46Ur3sfuVppXpp+PCS9G2l7b4E5F4L+2Yp/oDStuSa7YmlbVlg+q20PYiA3Gth3yzFN5a2NKCIcS+hEfZz/whLLgJ1BqAzSDFCDXfaStpoKoC9X273HqRR/JydKwLq7gI/fABXRtR0466cXXBF1rAgbc0mV2U+uXJegKsyp1RALIkrkEVuqSAQnaVYl+SYCtY8tQVbrikgVPjmyrnehCOaLpuejCPaX0B9sA6wTO+cZ2bS2kDzxtXlMyR5Zb25QPES9vLD/2WjtTYtG49bn46WrwvE3MDeo+SjvcnzW0bKRT9Y3/IMeHc+WHIS83Sc0P50ZqVcLT2DeRDJWrILfoYUXdgZPwxNmvcqz5Em1f3LqvnyafTH4/jdWDbYOPBkl5c/hINg8Pn4SI9sMdbE+iO3w5FIcVB48n57CwxMghRsd3E3oNe0YOAdqxbJuWIBJyuy+MW62F61kRuqICoBbbOs5An2MU25N8SCwyDGpPmV+UEBH2T4mTPuhwwIIbGzGpe+M4dBILPpA+zM98UL7ayJpzFqx1MZXTIO9vwIN0bny70lxZDAsXaGYSLxlUObKKdAGfpKErV1OYBJ9o5bSpXy2ysibbWa351oBmoRKqBAgCCKmq18j6IIyI8CESAogEUOyex9V3ZyCR/oASxywlfgdLpBpP0qFD9rIfgKnMP3BZ98A+WH4dX+1VWrjXfWbSICLgewWRwGeVcVDqAjYHNt0uUa1rfFLuV8iVRh+ztxulKkS3XoBfIREdE8G3LK8nlRZtfq9e6KoFnH7qxQnYsTn26QfiTuySkU/Cd49ZLvZmTLSatkoe3xgnYaH0ABAzrW8VB6KB6iIECBnlltPJRViNo1iJswOkSt8JGfMizmbusaTH/aZ1COV5aiZz2s72cPJnFPRwnpwVRQE2XEW3Q9Frgh5cLNYsjVfMsUVhNWPUJ9oy3Ej1IuELNhcVZLhhqloOR0oPkE7sA6kXnyZWOTUb7arOk+mb+l6AhLPqsl58KnP/ih+d3PKdflqIYTvOfEUfWG41uOujNHPfWRZh0HLnHa80wYsOHW/P75r1RtO1vo+2/EH1oI1mPRpmPiZ8Oi92+6uOWrR+Cr5mPnZ8NZzaaA988hVfXXynLw/puxZdQFRm0+zX8+jNpo3bblkMfgkMa7jWfEIU0WWVsOuV8OEZAtP8m7hAxA5od4ilq7qG5xFJ1fU9nuCciWxNJUNTsvHL/FeYwQc0+7g8TEqx6gVxleOYJUoVghuLz898McwRcYvUICxdc6AmUAeei8KHBjgbkWPw1VJNA6oIAC+25jWbWZhs1113yyYFfX1ZDxS2ORzZX5jV8mjV9EfSYpFZhgwWA84q4KgqobnvL5kN7Udan2i61mhGvpMOHhu1c1cLbYYAuuxY/q8eNm8HLq+8rVck3WhDZSklULU/zSPFrzetb4wsM3DWDbZlDy+SoFtv6YfY0LKZESgiJPMDgaYd+il1SawsBkDJRndSbAiLIZZIEK1m0dY5uca0j7zk7ZlXCCp1QQ6PvYyYP72I9jykXZ5XJV951IRX8o/7lwrndlCYXyFQaXwwDkn6pf+0pRFxJNlXck/5ktYis85uzs7L/59aX75vp2Z//Xl+7r69u9q+D21z333fXuVbB71f3H1XD3f17/r3MNqi2SneI8TIWIkLOsMer6UYdul7/UybyKrk8Wu6kKpT4UCyWaBnc7O5eH56/dk+PBZf/0/e3g7PDjQEW5raUYpgEmqlr9SxkYBITLGl4AJ4SE279uOkyJSGUy0bzlkrEm90j+eZUwejOXv8iY0UltGP28Yq1NgROYv+aP/ldrMuCYP1/0n4n+o/TP9eoZPeWIefbpmxDzOgk40LGZi660pxgCSIAKOwR9Iad7rhl6fUGou3mWFcNA0ZugmUxpJ1ZBIH8XIlMUlEL7q7dvZYVWt9DJrg+PWqxx1CgbT/ItRtlgPuooB0iJdICiP9PIrhw5c5/vqcDcNFYGI4YA9YNYQNQh7qnQEUCieft781VWBBULgZuY4XHHmAgkqZswTBkWNrJcoKKbuRGaIhugjEES0PjG3RsP3QSOszALXDAo0vg/hJ9UIJxHZcjeItLeItb+ItZ+AYtgHxUi3M0RT+gMsTYWDrMYeyqYPiZjvYGoGxDrkTzbJEiZ+uXT8cZDUBahr45qt2pGR2584kDZdNRNL3lOWc8vMT5n00FfoTd0+v8GAAD//1BLBwjjxgVjFjQAABSDAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA0AAABjdXN0b20ucG9saWN5zI9Ba9tAEIXv/hUP91zHplWNBTkY2kMPaUPIPYy1I2va1Y7YGVnWvy+yHAglUJpTrsP33nzvA77f3f98eNz/eCzxLYgbXOGNGGqJjEFiRFLHgZG5jlw5B0iCN4yv5BT0iH3XgVKY4QNDT5yHLO6cMIg3SDyg0yjVOLcGHVJUCrbCfWQyRqtB6hG5j2yv1deaUfcxou5T5aKJovi4Wpw4m2gqsSy2X7bLxaWgXADAR0go8UApaJuo5csRCGxVls7n1PJ6rSU652tyTqvh9hbLKKk/P2N87jLb/FE7Tqtpzmpqv7Ds1Y01FHS46chs0Byek0GMDpFDiZqi8QvDdnyiIyd/mtxfk7wbsZ8AvADe4Mtnrv7ytebfes7mv+hER3aqrPUmM7ldjCefzN7nZPo7s3WajDfbzabYFZ93n97nFh+7q9B/LFoX6/VuW7yXRX8CAAD//1BLBwgtbaydVAEAALYDAABQSwECFAAUAAgACAAAAAAA48YFYxY0AAAUgwEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALW2snVQBAAC2AwAADQAAAAAAAAAAAAAAAABSNAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADhNQAAAAA=", + "body": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA=", "headers": { "Content-Type": [ "application/zip" diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze index 795e3afea84..f0de7ad5984 100644 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:50.126Z \ No newline at end of file +2025-04-01T14:30:59.438Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json index 305812579e1..aeb024e3f6e 100644 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json @@ -8,7 +8,7 @@ "secure": true }, "httpResponse": { - "body": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1713895070226'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", + "body": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1743517859524'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", "headers": { "Content-Type": [ "application/yaml" diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..27be8fe236a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-04-15T09:10:08.098Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json new file mode 100644 index 00000000000..1e779b5c9c5 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json @@ -0,0 +1,87 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"pp8-iw5-agt\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708208235,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "b2969d22-85e5-4937-1c5e-69b0b4dd2cdd" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"pp8-iw5-agt\",\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "PATCH", + "path": "/api/v2/remote_config/products/cws/policy/pp8-iw5-agt", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 400, + "reasonPhrase": "Bad Request" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "65009941-1ff9-1bfa-4706-321ef39f0234" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/pp8-iw5-agt", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "f0b05244-2995-2cdc-71ee-d76275cc04bd" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..435b652a26b --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-04-01T14:31:00.854Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json new file mode 100644 index 00000000000..6e6bdf75f3a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json @@ -0,0 +1,32 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[],\"name\":\"my_agent_policy\"},\"id\":\"non-existent-policy-id\",\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "PATCH", + "path": "/api/v2/remote_config/products/cws/policy/non-existent-policy-id", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 400, + "reasonPhrase": "Bad Request" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "53c2d138-ea8f-e494-db00-9481f45b660f" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..562f84a677a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-04-15T09:10:09.401Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json new file mode 100644 index 00000000000..4208a01d615 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json @@ -0,0 +1,87 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708209551,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "1fb5c500-dfb9-2425-cd65-56ea5193a93b" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"99n-cjh-wuo\",\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "PATCH", + "path": "/api/v2/remote_config/products/cws/policy/99n-cjh-wuo", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708210164,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "dece4030-3b3e-2573-dca5-4114f43a268e" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/99n-cjh-wuo", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "28e61e7e-d20c-905a-fde7-6eaf56075e7a" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze index 97a67f75df7..12d907c5d09 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2024-05-28T19:38:08.047Z \ No newline at end of file +2025-04-15T09:10:11.192Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json index a67fc5035cf..51948623958 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"1i5-k3r-2dg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708211304,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "11c0a116-8511-2ec4-19e0-00da0df22c67" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"0wn-l36-875\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1716925088306,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088\",\"updateDate\":1716925088306,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"qtl-8mk-8gy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744708211716,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"updateDate\":1744708211716,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,22 +57,22 @@ "timeToLive": { "unlimited": true }, - "id": "f62fa329-b7d7-f3c4-3945-5f1d7d83ff69" + "id": "f04fc9f7-33c8-f920-4e1d-f0f3edfee6c9" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\"},\"id\":\"0wn-l36-875\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875", + "path": "/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacsmthreatsagentrulereturnsbadrequestresponse1716925088` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}", + "body": "{\"errors\":[{\"title\":\"failed to update rule\"}]}\n", "headers": { "Content-Type": [ "application/json" @@ -57,13 +87,38 @@ "timeToLive": { "unlimited": true }, - "id": "093c0289-66a7-d4d4-e415-092f0a75ee45" + "id": "e52d38b8-0b43-82d9-0ebf-96069dc20eab" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "a69cd5fd-0e07-d6d2-a98b-3dc95cae8960" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/0wn-l36-875", + "path": "/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg", "keepAlive": false, "secure": true }, @@ -82,6 +137,6 @@ "timeToLive": { "unlimited": true }, - "id": "3fee0144-9473-47d2-5c7b-abbbf617da0b" + "id": "1346db6d-9d2d-5b3a-73df-39a434f3cce3" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze index 55a64f021bc..1a52f175ee4 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:51.488Z \ No newline at end of file +2025-04-01T14:31:02.941Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json index 475dc384fed..5ba170cc43c 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json @@ -3,11 +3,41 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"abc-123-xyz\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"jnw-szj-ssb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517862965,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "a5b4f0f5-921d-1238-a3ba-7be467925bdd" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"jnw-szj-ssb\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/agent_rules/abc-123-xyz", + "path": "/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, @@ -27,6 +57,31 @@ "timeToLive": { "unlimited": true }, - "id": "7807b5a5-97b5-187b-b0a3-77a5ae8ad078" + "id": "01c1270a-1be6-f0b0-dc98-f31d16c15991" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/policy/jnw-szj-ssb", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "4f00a455-c419-4dd2-6a08-813d14665dd0" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze index b8c550f338c..4dd297f02ff 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-04-23T17:57:51.647Z \ No newline at end of file +2025-04-01T14:31:03.998Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json index 7bcd4b9b822..086d7f0a3dc 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json @@ -3,7 +3,37 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\"},\"type\":\"policy\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"evg-ugc-rb3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517864028,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "0c3fda99-1c43-1b08-836a-391d182a1d50" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895071711,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\",\"updateDate\":1713895071711,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864391,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517864391,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,22 +57,27 @@ "timeToLive": { "unlimited": true }, - "id": "471eb78b-7cfd-2f70-4ae3-f2883a04f580" + "id": "a3be8466-7def-08ce-24be-d8ef3fb00988" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[]},\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm", + "path": "/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4", + "queryStringParameters": { + "policy_id": [ + "evg-ugc-rb3" + ] + }, "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"0am-0rq-wvm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1713895071000,\"creator\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1713895071\",\"updateDate\":1713895072276,\"updater\":{\"name\":\"\",\"handle\":\"frog@datadoghq.com\"}}}}", + "body": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517865118,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,13 +92,38 @@ "timeToLive": { "unlimited": true }, - "id": "d0c38981-b717-ce2d-3ca5-a0603acce280" + "id": "b034f20b-0de9-d90d-4bc8-1f6b2418a850" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "eebe739e-597a-a7ad-2ae5-5b6070b7c5a1" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/0am-0rq-wvm", + "path": "/api/v2/remote_config/products/cws/policy/evg-ugc-rb3", "keepAlive": false, "secure": true }, @@ -82,6 +142,6 @@ "timeToLive": { "unlimited": true }, - "id": "6111ac83-5a6e-0dab-01fb-7ef0e9c6b924" + "id": "0c78cd95-6f69-98e1-e8cd-000071236304" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze index d36fbc87a35..36ea0d26094 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze @@ -1 +1 @@ -2024-05-28T19:38:09.490Z \ No newline at end of file +2025-04-18T09:10:14.669Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json index d83c4751ae1..29725cfcb09 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"qdg-dfm-kku\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925089625,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925089625,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"defaultRule\":false,\"enabled\":true,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"03s-ro8-kgi\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414924,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414924,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,22 +27,22 @@ "timeToLive": { "unlimited": true }, - "id": "a135c5ab-5ca5-e218-38b2-ea5530f3a5c9" + "id": "6117d741-146f-7545-62ac-cea7ec42f4ff" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"open.file.path = sh\"},\"id\":\"qdg-dfm-kku\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"03s-ro8-kgi\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1716925089` error: syntax error `1:18: unexpected token \\\"sh\\\" (expected \\\"~\\\")`)\"]}\n", + "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "f29f2542-be39-334f-dc8b-2ad205b681c8" + "id": "8b083a0f-780e-6fec-489c-57490e757c7e" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/qdg-dfm-kku", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi", "keepAlive": false, "secure": true }, @@ -78,6 +78,6 @@ "timeToLive": { "unlimited": true }, - "id": "12b5b1ee-2dbb-abf1-ccfc-539561fe7778" + "id": "253a3c81-6e61-cec1-0cb2-25fbb073e320" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze index e732e6152e0..30a73c79d2d 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze @@ -1 +1 @@ -2024-05-28T19:38:10.057Z \ No newline at end of file +2025-04-18T09:45:20.422Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json index 019e7a789b6..f9477eaa18e 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json @@ -3,16 +3,16 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"abc-123-xyz\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-123-xyz", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=abc-123-xyz)\"]}\n", + "body": "{\"errors\":[\"Not found\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -27,6 +27,6 @@ "timeToLive": { "unlimited": true }, - "id": "7edac9ea-36b8-deb4-6f4b-a1e4b54dd869" + "id": "f6805e00-15e4-871e-20ec-52d323b5f750" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze index 14aae3e61fb..0ad336788ee 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze @@ -1 +1 @@ -2024-05-28T19:38:10.219Z \ No newline at end of file +2025-04-18T09:10:15.690Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json index a7dc26a0df3..441e5d5d1aa 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"wmz-xld-san\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925090332,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925090332,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416010,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,22 +27,22 @@ "timeToLive": { "unlimited": true }, - "id": "756706f9-ee44-e129-6017-1c348b77b175" + "id": "54f8bc31-f520-cf8c-abba-6e785e33b5c4" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Test Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"wmz-xld-san\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"szj-quo-wak\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"wmz-xld-san\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1716925090\",\"description\":\"Test Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1716925090332,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1716925090525,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"enabled\":true,\"defaultRule\":false,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "d6b91df8-ed14-c69c-d2f7-0fe430881561" + "id": "699d0e12-aa45-3822-5218-e33c74419e60" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/wmz-xld-san", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak", "keepAlive": false, "secure": true }, @@ -78,6 +78,6 @@ "timeToLive": { "unlimited": true }, - "id": "b914031c-dd6d-49b8-5b9e-976786e1d09c" + "id": "f0e156b5-4936-979e-a781-80a7393794af" } ] \ No newline at end of file diff --git a/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature b/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature index 17d49528c52..b6479f1cf8c 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature +++ b/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature @@ -11,69 +11,111 @@ Feature: CSM Threats And a valid "appKeyAuth" key in the system And an instance of "CSMThreats" API + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Bad Request" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "Conflict" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 409 Conflict + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a CSM Threats Agent policy returns "OK" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Bad Request" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "Conflict" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "my_agent_rule"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a CSM Threats Agent rule returns "OK" response - Given new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": ["os == \"linux\""], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "Conflict" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Cloud Workload Security Agent rule returns "OK" response - Given new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "Not Found" response + Given new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Delete a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -85,27 +127,42 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "Not Found" response + Given new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + When the request is sent + Then the response status is 404 Not Found + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @@ -116,8 +173,12 @@ Feature: CSM Threats And request contains "agent_rule_id" parameter from "agent_rule.data.id" When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "My Agent rule" + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Get all CSM Threats Agent policies returns "OK" response + Given new "ListCSMThreatsAgentPolicies" request + When the request is sent + Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all CSM Threats Agent rules returns "OK" response @@ -127,11 +188,9 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get all Cloud Workload Security Agent rules returns "OK" response - Given there is a valid "agent_rule" in the system - And new "ListCloudWorkloadSecurityAgentRules" request + Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK - And the response "data[0].type" is equal to "agent_rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get the latest CSM Threats policy returns "OK" response @@ -145,49 +204,87 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Bad Request" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": ["env:test"], "hostTagsLists": [["env:test"]], "name": ""}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Concurrent Modification" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 409 Concurrent Modification + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "Not Found" response + Given new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "non-existent-policy-id", "type": "policy"}} + When the request is sent + Then the response status is 400 Bad Request + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Update a CSM Threats Agent policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "Updated agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "updated_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Bad Request" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response - Given new "UpdateCSMThreatsAgentRule" request - And there is a valid "agent_rule" in the system + Given there is a valid "agent_rule_rc" in the system + And there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "Not Found" response - Given new "UpdateCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentRule" request + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "non-existent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a CSM Threats Agent rule returns "OK" response - Given there is a valid "agent_rule_rc" in the system + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "open.file.path = sh"}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name"}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @@ -196,15 +293,15 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Update a Cloud Workload Security Agent rule returns "Not Found" response Given new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "abc-123-xyz" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"abc-123-xyz"}} + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent Then the response status is 404 Not Found @@ -213,8 +310,6 @@ Feature: CSM Threats Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "type": "agent_rule", "id":"{{ agent_rule.data.id }}"}} + And body with value {"data": {"attributes": {"description": "Updated Agent rule", "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK - And the response "data.type" is equal to "agent_rule" - And the response "data.attributes.description" is equal to "Test Agent rule" diff --git a/src/test/resources/com/datadog/api/client/v2/api/given.json b/src/test/resources/com/datadog/api/client/v2/api/given.json index dcce70aed76..95166d223ff 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/given.json +++ b/src/test/resources/com/datadog/api/client/v2/api/given.json @@ -531,7 +531,7 @@ "parameters": [ { "name": "body", - "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true\n }\n }\n}" + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" } ], "step": "there is a valid \"agent_rule_rc\" in the system", @@ -539,6 +539,18 @@ "tag": "CSM Threats", "operationId": "CreateCSMThreatsAgentRule" }, + { + "parameters": [ + { + "name": "body", + "value": "{\n \"data\": {\n \"type\": \"policy\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My agent policy\",\n \"hostTags\": [\"env:staging\"],\n \"enabled\": true\n }\n }\n}" + } + ], + "step": "there is a valid \"policy_rc\" in the system", + "key": "policy", + "tag": "CSM Threats", + "operationId": "CreateCSMThreatsAgentPolicy" + }, { "parameters": [ { diff --git a/src/test/resources/com/datadog/api/client/v2/api/undo.json b/src/test/resources/com/datadog/api/client/v2/api/undo.json index 85514d18997..66ea8a9fa87 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/undo.json +++ b/src/test/resources/com/datadog/api/client/v2/api/undo.json @@ -2057,12 +2057,49 @@ "type": "idempotent" } }, + "ListCSMThreatsAgentPolicies": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "CreateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "operationId": "DeleteCSMThreatsAgentPolicy", + "parameters": [ + { + "name": "policy_id", + "source": "data.id" + } + ], + "type": "unsafe" + } + }, "DownloadCSMThreatsPolicy": { "tag": "CSM Threats", "undo": { "type": "safe" } }, + "DeleteCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, + "GetCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "safe" + } + }, + "UpdateCSMThreatsAgentPolicy": { + "tag": "CSM Threats", + "undo": { + "type": "idempotent" + } + }, "CreatePipeline": { "tag": "Observability Pipelines", "undo": {