Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Get a Workload Protection agent rule

GET https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.ap2.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us2.ddog-gov.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}

Overview

Get the details of a specific Workload Protection agent rule.

Note: This endpoint is not available for the Government (US1-FED) site. Please reference the (US1-FED) specific resource below.

Arguments

Path Parameters

Name

Type

Description

agent_rule_id [required]

string

The ID of the Agent rule

Query Strings

Name

Type

Description

policy_id

string

The ID of the Agent policy

Response

OK

Response object that includes an Agent rule

Expand All

Field

Type

Description

data

object

Object for a single Agent rule

attributes

object

A Cloud Workload Security Agent rule returned by the API

actions

[object]

The array of actions the rule can perform if triggered

filter

string

SECL expression used to target the container to apply the action on

hash

object

Hash file specified by the field attribute

field

string

The field of the hash action

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call

metadata

object

The metadata action applied on the scope matching the rule

image_tag

string

The image tag of the metadata action

service

string

The service of the metadata action

short_image

string

The short image of the metadata action

set

object

The set action applied on the scope matching the rule

append

boolean

Whether the value should be appended to the field.

default_value

string

The default value of the set action

expression

string

The expression of the set action.

field

string

The field of the set action

inherited

boolean

Whether the value should be inherited.

name

string

The name of the set action

scope

string

The scope of the set action.

size

int64

The size of the set action.

ttl

int64

The time to live of the set action.

value

 <oneOf>

The value of the set action

Option 1

string

Option 2

integer

Option 3

boolean

agentConstraint

string

The version of the Agent

blocking

[string]

The blocking policies that the rule belongs to

category

string

The category of the Agent rule

creationAuthorUuId

string

The ID of the user who created the rule

creationDate

int64

When the Agent rule was created, timestamp in milliseconds

creator

object

The attributes of the user who created the Agent rule

handle

string

The handle of the user

name

string

The name of the user

defaultRule

boolean

Whether the rule is included by default

description

string

The description of the Agent rule

disabled

[string]

The disabled policies that the rule belongs to

enabled

boolean

Whether the Agent rule is enabled

expression

string

The SECL expression of the Agent rule

filters

[string]

The platforms the Agent rule is supported on

monitoring

[string]

The monitoring policies that the rule belongs to

name

string

The name of the Agent rule

product_tags

[string]

The list of product tags associated with the rule

silent

boolean

Whether the rule is silent.

updateAuthorUuId

string

The ID of the user who updated the rule

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds

updater

object

The attributes of the user who last updated the Agent rule

handle

string

The handle of the user

name

string

The name of the user

version

int64

The version of the Agent rule

id

string

The ID of the Agent rule

type

enum

The type of the resource, must always be agent_rule Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "hash": {
            "field": "string"
          },
          "kill": {
            "signal": "string"
          },
          "metadata": {
            "image_tag": "string",
            "service": "string",
            "short_image": "string"
          },
          "set": {
            "append": false,
            "default_value": "string",
            "expression": "string",
            "field": "string",
            "inherited": false,
            "name": "string",
            "scope": "string",
            "size": "integer",
            "ttl": "integer",
            "value": {
              "type": "undefined"
            }
          }
        }
      ],
      "agentConstraint": "string",
      "blocking": [],
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "disabled": [],
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "filters": [],
      "monitoring": [],
      "name": "my_agent_rule",
      "product_tags": [],
      "silent": false,
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export agent_rule_id="3b5-v82-ns6"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/${agent_rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get a Workload Protection agent rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

# there is a valid "agent_rule_rc" in the system
AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"]

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = environ["POLICY_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.get_csm_threats_agent_rule(
        agent_rule_id=AGENT_RULE_DATA_ID,
        policy_id=POLICY_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get a Workload Protection agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "agent_rule_rc" in the system
AGENT_RULE_DATA_ID = ENV["AGENT_RULE_DATA_ID"]

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = ENV["POLICY_DATA_ID"]
opts = {
  policy_id: POLICY_DATA_ID,
}
p api_instance.get_csm_threats_agent_rule(AGENT_RULE_DATA_ID, opts)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get a Workload Protection agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "agent_rule_rc" in the system
	AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID")

	// there is a valid "policy_rc" in the system
	PolicyDataID := os.Getenv("POLICY_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.GetCSMThreatsAgentRule(ctx, AgentRuleDataID, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(PolicyDataID))

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.GetCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.GetCSMThreatsAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get a Workload Protection agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.api.CsmThreatsApi.GetCSMThreatsAgentRuleOptionalParameters;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "agent_rule_rc" in the system
    String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID");

    // there is a valid "policy_rc" in the system
    String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID");

    try {
      CloudWorkloadSecurityAgentRuleResponse result =
          apiInstance.getCSMThreatsAgentRule(
              AGENT_RULE_DATA_ID,
              new GetCSMThreatsAgentRuleOptionalParameters().policyId(POLICY_DATA_ID));
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#getCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get a Workload Protection agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::api_csm_threats::GetCSMThreatsAgentRuleOptionalParams;

#[tokio::main]
async fn main() {
    // there is a valid "agent_rule_rc" in the system
    let agent_rule_data_id = std::env::var("AGENT_RULE_DATA_ID").unwrap();

    // there is a valid "policy_rc" in the system
    let policy_data_id = std::env::var("POLICY_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api
        .get_csm_threats_agent_rule(
            agent_rule_data_id.clone(),
            GetCSMThreatsAgentRuleOptionalParams::default().policy_id(policy_data_id.clone()),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Get a Workload Protection agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "agent_rule_rc" in the system
const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string;

// there is a valid "policy_rc" in the system
const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string;

const params: v2.CSMThreatsApiGetCSMThreatsAgentRuleRequest = {
  agentRuleId: AGENT_RULE_DATA_ID,
  policyId: POLICY_DATA_ID,
};

apiInstance
  .getCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"