--- title: Update a Workload Protection agent rule (US1-FED) description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > CSM Threats --- # Update a Workload Protection agent rule (US1-FED){% #update-a-workload-protection-agent-rule-us1-fed %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | us2.ddog-gov.com | PATCH https://api.us2.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id} | ### Overview Update a specific agent rule. Returns the agent rule object when the request is successful. **Note**: This endpoint should only be used for the Government (US1-FED) site. This endpoint requires the `security_monitoring_cws_agent_rules_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------------- | ------ | ------------------------ | | agent_rule_id [*required*] | string | The ID of the Agent rule | ### Request #### Body Data (required) New definition of the agent rule {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | ------------- | --------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for a single Agent rule | | data | attributes [*required*] | object | Update an existing Cloud Workload Security Agent rule | | attributes | actions | [object] | The array of actions the rule can perform if triggered | | actions | filter | string | SECL expression used to target the container to apply the action on | | actions | hash | object | Hash file specified by the field attribute | | hash | field | string | The field of the hash action | | actions | kill | object | Kill system call applied on the container matching the rule | | kill | signal | string | Supported signals for the kill system call | | actions | metadata | object | The metadata action applied on the scope matching the rule | | metadata | image_tag | string | The image tag of the metadata action | | metadata | service | string | The service of the metadata action | | metadata | short_image | string | The short image of the metadata action | | actions | set | object | The set action applied on the scope matching the rule | | set | append | boolean | Whether the value should be appended to the field. | | set | default_value | string | The default value of the set action | | set | expression | string | The expression of the set action. | | set | field | string | The field of the set action | | set | inherited | boolean | Whether the value should be inherited. | | set | name | string | The name of the set action | | set | scope | string | The scope of the set action. | | set | size | int64 | The size of the set action. | | set | ttl | int64 | The time to live of the set action. | | set | value | | The value of the set action | | value | Option 1 | string | | value | Option 2 | int32 | | value | Option 3 | boolean | | attributes | agent_version | string | Constrain the rule to specific versions of the Datadog Agent | | attributes | blocking | [string] | The blocking policies that the rule belongs to | | attributes | description | string | The description of the Agent rule | | attributes | disabled | [string] | The disabled policies that the rule belongs to | | attributes | enabled | boolean | Whether the Agent rule is enabled | | attributes | expression | string | The SECL expression of the Agent rule | | attributes | monitoring | [string] | The monitoring policies that the rule belongs to | | attributes | policy_id | string | The ID of the policy where the Agent rule is saved | | attributes | product_tags | [string] | The list of product tags associated with the rule | | attributes | silent | boolean | Whether the rule is silent. | | data | id | string | The ID of the Agent rule | | data | type [*required*] | enum | The type of the resource, must always be `agent_rule` Allowed enum values: `agent_rule` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "description": "Updated Agent rule", "expression": "exec.file.name == \"sh\"" }, "id": "3dd-0uc-h1s", "type": "agent_rule" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object that includes an Agent rule | Parent field | Field | Type | Description | | ------------ | ------------------ | ------------- | --------------------------------------------------------------------------------------- | | | data | object | Object for a single Agent rule | | data | attributes | object | A Cloud Workload Security Agent rule returned by the API | | attributes | actions | [object] | The array of actions the rule can perform if triggered | | actions | filter | string | SECL expression used to target the container to apply the action on | | actions | hash | object | Hash file specified by the field attribute | | hash | field | string | The field of the hash action | | actions | kill | object | Kill system call applied on the container matching the rule | | kill | signal | string | Supported signals for the kill system call | | actions | metadata | object | The metadata action applied on the scope matching the rule | | metadata | image_tag | string | The image tag of the metadata action | | metadata | service | string | The service of the metadata action | | metadata | short_image | string | The short image of the metadata action | | actions | set | object | The set action applied on the scope matching the rule | | set | append | boolean | Whether the value should be appended to the field. | | set | default_value | string | The default value of the set action | | set | expression | string | The expression of the set action. | | set | field | string | The field of the set action | | set | inherited | boolean | Whether the value should be inherited. | | set | name | string | The name of the set action | | set | scope | string | The scope of the set action. | | set | size | int64 | The size of the set action. | | set | ttl | int64 | The time to live of the set action. | | set | value | | The value of the set action | | value | Option 1 | string | | value | Option 2 | int32 | | value | Option 3 | boolean | | attributes | agentConstraint | string | The version of the Agent | | attributes | blocking | [string] | The blocking policies that the rule belongs to | | attributes | category | string | The category of the Agent rule | | attributes | creationAuthorUuId | string | The ID of the user who created the rule | | attributes | creationDate | int64 | When the Agent rule was created, timestamp in milliseconds | | attributes | creator | object | The attributes of the user who created the Agent rule | | creator | handle | string | The handle of the user | | creator | name | string | The name of the user | | attributes | defaultRule | boolean | Whether the rule is included by default | | attributes | description | string | The description of the Agent rule | | attributes | disabled | [string] | The disabled policies that the rule belongs to | | attributes | enabled | boolean | Whether the Agent rule is enabled | | attributes | expression | string | The SECL expression of the Agent rule | | attributes | filters | [string] | The platforms the Agent rule is supported on | | attributes | monitoring | [string] | The monitoring policies that the rule belongs to | | attributes | name | string | The name of the Agent rule | | attributes | product_tags | [string] | The list of product tags associated with the rule | | attributes | silent | boolean | Whether the rule is silent. | | attributes | updateAuthorUuId | string | The ID of the user who updated the rule | | attributes | updateDate | int64 | Timestamp in milliseconds when the Agent rule was last updated | | attributes | updatedAt | int64 | When the Agent rule was last updated, timestamp in milliseconds | | attributes | updater | object | The attributes of the user who last updated the Agent rule | | updater | handle | string | The handle of the user | | updater | name | string | The name of the user | | attributes | version | int64 | The version of the Agent rule | | data | id | string | The ID of the Agent rule | | data | type | enum | The type of the resource, must always be `agent_rule` Allowed enum values: `agent_rule` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "actions": [ { "filter": "string", "hash": { "field": "string" }, "kill": { "signal": "string" }, "metadata": { "image_tag": "string", "service": "string", "short_image": "string" }, "set": { "append": false, "default_value": "string", "expression": "string", "field": "string", "inherited": false, "name": "string", "scope": "string", "size": "integer", "ttl": "integer", "value": { "type": "undefined" } } } ], "agentConstraint": "string", "blocking": [], "category": "Process Activity", "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002", "creationDate": 1624366480320, "creator": { "handle": "datadog.user@example.com", "name": "Datadog User" }, "defaultRule": false, "description": "My Agent rule", "disabled": [], "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "monitoring": [], "name": "my_agent_rule", "product_tags": [], "silent": false, "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002", "updateDate": 1624366480320, "updatedAt": 1624366480320, "updater": { "handle": "datadog.user@example.com", "name": "Datadog User" }, "version": 23 }, "id": "3dd-0uc-h1s", "type": "agent_rule" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Path parameters export agent_rule_id="3b5-v82-ns6" \# Curl command curl -X PATCH "https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/${agent_rule_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"" }, "id": "3dd-0uc-h1s", "type": "agent_rule" } } EOF ##### ```go // Update a Workload Protection agent rule (US1-FED) returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "agent_rule" in the system AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID") body := datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest{ Data: datadogV2.CloudWorkloadSecurityAgentRuleUpdateData{ Attributes: datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{ Description: datadog.PtrString("Updated Agent rule"), Expression: datadog.PtrString(`exec.file.name == "sh"`), }, Id: datadog.PtrString(AgentRuleDataID), Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewCSMThreatsApi(apiClient) resp, r, err := api.UpdateCloudWorkloadSecurityAgentRule(ctx, AgentRuleDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.UpdateCloudWorkloadSecurityAgentRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.UpdateCloudWorkloadSecurityAgentRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a Workload Protection agent rule (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.CsmThreatsApi; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateAttributes; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateData; import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateRequest; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient); // there is a valid "agent_rule" in the system String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID"); CloudWorkloadSecurityAgentRuleUpdateRequest body = new CloudWorkloadSecurityAgentRuleUpdateRequest() .data( new CloudWorkloadSecurityAgentRuleUpdateData() .attributes( new CloudWorkloadSecurityAgentRuleUpdateAttributes() .description("Updated Agent rule") .expression(""" exec.file.name == "sh" """)) .id(AGENT_RULE_DATA_ID) .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE)); try { CloudWorkloadSecurityAgentRuleResponse result = apiInstance.updateCloudWorkloadSecurityAgentRule(AGENT_RULE_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling CsmThreatsApi#updateCloudWorkloadSecurityAgentRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a Workload Protection agent rule (US1-FED) returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_attributes import ( CloudWorkloadSecurityAgentRuleUpdateAttributes, ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_data import ( CloudWorkloadSecurityAgentRuleUpdateData, ) from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_request import ( CloudWorkloadSecurityAgentRuleUpdateRequest, ) # there is a valid "agent_rule" in the system AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"] body = CloudWorkloadSecurityAgentRuleUpdateRequest( data=CloudWorkloadSecurityAgentRuleUpdateData( attributes=CloudWorkloadSecurityAgentRuleUpdateAttributes( description="Updated Agent rule", expression='exec.file.name == "sh"', ), id=AGENT_RULE_DATA_ID, type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = CSMThreatsApi(api_client) response = api_instance.update_cloud_workload_security_agent_rule(agent_rule_id=AGENT_RULE_DATA_ID, body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a Workload Protection agent rule (US1-FED) returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new # there is a valid "agent_rule" in the system AGENT_RULE_DATA_ID = ENV["AGENT_RULE_DATA_ID"] body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateRequest.new({ data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateData.new({ attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateAttributes.new({ description: "Updated Agent rule", expression: 'exec.file.name == "sh"', }), id: AGENT_RULE_DATA_ID, type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE, }), }) p api_instance.update_cloud_workload_security_agent_rule(AGENT_RULE_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a Workload Protection agent rule (US1-FED) returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI; use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType; use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateAttributes; use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateData; use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateRequest; #[tokio::main] async fn main() { // there is a valid "agent_rule" in the system let agent_rule_data_id = std::env::var("AGENT_RULE_DATA_ID").unwrap(); let body = CloudWorkloadSecurityAgentRuleUpdateRequest::new( CloudWorkloadSecurityAgentRuleUpdateData::new( CloudWorkloadSecurityAgentRuleUpdateAttributes::new() .description("Updated Agent rule".to_string()) .expression(r#"exec.file.name == "sh""#.to_string()), CloudWorkloadSecurityAgentRuleType::AGENT_RULE, ) .id(agent_rule_data_id.clone()), ); let configuration = datadog::Configuration::new(); let api = CSMThreatsAPI::with_config(configuration); let resp = api .update_cloud_workload_security_agent_rule(agent_rule_data_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a Workload Protection agent rule (US1-FED) returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.CSMThreatsApi(configuration); // there is a valid "agent_rule" in the system const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string; const params: v2.CSMThreatsApiUpdateCloudWorkloadSecurityAgentRuleRequest = { body: { data: { attributes: { description: "Updated Agent rule", expression: `exec.file.name == "sh"`, }, id: AGENT_RULE_DATA_ID, type: "agent_rule", }, }, agentRuleId: AGENT_RULE_DATA_ID, }; apiInstance .updateCloudWorkloadSecurityAgentRule(params) .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}