OOTB Rules

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of Datadog Security. OOTB rules are available for Cloud SIEM, Posture Management, which is divided into cloud or infrastructure configuration, Workload Security, and Application Security Management.

azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD Identity Protection risky user
azure Azure AD Login Without MFA
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD Privileged Identity Management member assigned
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Login Explicitly Denied MFA
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure Azure user invited an external user
azure Azure user ran command on container instance
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS Console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy changed
cloudtrail AWS IAM privileged policy was applied to a group
cloudtrail AWS IAM privileged policy was applied to a role
cloudtrail AWS IAM privileged policy was applied to a user
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log Deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail global services are enabled
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS IAM CreateLoginProfile
cloudtrail Possible RDS Snapshot Exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail Security group open to the world
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail Tor client IP address identified within AWS environment
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log
gcp
GCP
>
gcp Access denied for Google Cloud Service Account
gcp Anomalous number of Google Cloud Compute GPU virtual machines created
gcp Anomalous number of Google Cloud Storage Buckets Accessed
gcp Anomalous number of Google Cloud Storage Objects Accessed
gcp Anomalous number of Google Compute Engine instances created in multiple zones by user
gcp Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
gcp Google App Engine service account used outside of Google Cloud
gcp Google Cloud BigQuery - query results saved to cloud storage
gcp Google Cloud BigQuery - query results saved to new table
gcp Google Cloud BigQuery results saved to cloud storage by a previously unseen user
gcp Google Cloud Compute Engine GPU virtual machine instance created
gcp Google Cloud GCE instance startup script added or modified
gcp Google Cloud IAM policy modified
gcp Google Cloud IAM role created
gcp Google Cloud IAM Role updated
gcp Google Cloud Logging Bucket deleted
gcp Google Cloud logging sink modified
gcp Google Cloud Project external principal added as project owner
gcp Google Cloud Pub/Sub Subscriber modified
gcp Google Cloud Pub/Sub topic deleted
gcp Google Cloud Service Account accessing anomalous number of Google Cloud APIs
gcp Google Cloud Service Account created
gcp Google Cloud Service Account Impersonation activity using access token generation
gcp Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
gcp Google Cloud Service Account key created
gcp Google Cloud SQL database modified
gcp Google Cloud SQL instance data exported to cloud storage
gcp Google Cloud SQL instance data exported to cloud storage by a previously unseen user
gcp Google Cloud Storage Bucket contents downloaded without authentication
gcp Google Cloud Storage Bucket enumerated
gcp Google Cloud Storage Bucket modified
gcp Google Cloud Storage Bucket permissions modified
gcp Google Cloud unauthorized service account activity
gcp Google Cloud unauthorized user activity
gcp Google Compute Engine firewall egress rule opened to the world
gcp Google Compute Engine firewall rule modified
gcp Google Compute Engine image created
gcp Google Compute Engine instance metadata SSH key added or modified
gcp Google Compute Engine instances created in multiple zones by user
gcp Google Compute Engine network created
gcp Google Compute Engine network route created or modified
gcp Google Compute Engine project metadata SSH key added or modified
gcp Google Compute Engine service account used outside of Google Cloud
gcp Potential Google Cloud cryptomining attack from Tor IP
gcp Tor client IP address identified within Google Cloud environment
google.workspace.alert.center
Google.Workspace.Alert.Center
>