OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of Datadog Security. OOTB rules are available for Cloud SIEM, Posture Management, which is divided into cloud or infrastructure configuration, Workload Security, and Application Security Management.

すべてAPPLICATION SECURITYCLOUD SECURITY MANAGEMENTCLOUD SIEM (LOG DETECTION)CLOUD SIEM (SIGNAL CORRELATION)POSTURE MANAGEMENT (CLOUD)WORKLOAD SECURITY

ACM

>

ACM certificate does not expire within the next 7 days
ACM certificate is active
ACM certificate is valid for 30 or more days
ACM certificate issue request is not pending validation

Amazon Fsx

>

AWS FSx Excessive File Denied

Apache

>

Apache HTTP requests from security scanner

Application Security

>

Cassandra injection vulnerability triggered
CQL injections attempted on route performing Cassandra queries
Credential Stuffing attack
Local File Inclusion (LFI) attack attempts
Log4shell RCE attempts - CVE-2021-44228
Log4shell vulnerability triggered (RCE) - CVE-2021-44228
Mongo injections attempted on route performing Mongo queries
OGNL injection attack attempts on routes parsing OGNL
OGNL injection attempts on route processing OGNL expressions
Reflected XSS attempts on routes returning HTML
Resource enumeration detected
Security scanner detected
Spring4shell RCE attempts - CVE-2022-22963
SQL injection attempts on routes performing SQL queries
SQL injection vulnerability triggered
SSRF attempts on route executing network queries
SSRF vulnerability triggered

Auth0

>

Auth0 user logged in with a breached password
Brute force attack on an Auth0 user
Credential stuffing attack on Auth0
Impossible Travel Auth0 login

AWS

>

Brute forced ConsoleLogin event correlates with an assumed role event
ConsoleLogin event correlates privileged policy applying to a role
Impossible travel event leads to permission enumeration

Azure

>

Azure Active Directory Risky Sign-In
Azure AD brute force login
Azure AD Login Without MFA
Azure AD member assigned built-in Administrator role
Azure AD member assigned Global Administrator role
Azure Datadog Log Forwarder Deleted
Azure diagnostic setting deleted or disabled
Azure disk export URI created
Azure Firewall Threat Intelligence Alert
Azure Frontdoor WAF Blocked a Request
Azure Frontdoor WAF Logged a Request
Azure Login Explicitly Denied MFA
Azure Network Security Group Open to the World
Azure Network Security Groups or Rules Created, Modified, or Deleted
Azure new owner added for service principal
Azure New Owner added to Azure Active Directory application
Azure New Service Principal created
Azure Policy Assignment Created
Azure Service Principal was assigned a role
Azure snapshot export URI created
Azure SQL Server Firewall Rules Created or Modified
Azure user invited an external user
Azure user ran command on container instance
Azure user viewed CosmosDB access keys
Azure user viewed CosmosDB connection string
Brute-forced user has assigned a role
Credential added to Azure AD application
Credential added to rarely used Azure AD application
Credential Stuffing Attack on Azure
Microsoft 365 - Modification of Trusted Domain
Potential Illicit Consent Grant attack via Azure registered application
User ran a command on Azure Compute

Azure.Activity Log

>

User has 'Create or Update Load Balancer' activity log alert configured
User has 'Create or Update Storage Accounts' activity log alert configured
User has 'Create or Update Virtual Machines' activity log alert configured
User has 'Create Update Azure SQL Database' activity log alert configured
User has 'Create Update MySQL Database' activity log alert configured
User has 'Create Update PostgreSQL Database' activity log alert configured
User has 'Deallocate Virtual Machines' activity log alert configured
User has 'Delete Azure SQL Database' activity log alert configured
User has 'Delete Key Vault' activity log alert configured
User has 'Delete Load Balancer' activity log alert configured
User has 'Delete MySQL Database' activity log alert configured
User has 'Delete PostgreSQL Database' activity log alert configured
User has 'Delete Storage Accounts' activity log alert configured
User has 'Delete Virtual Machines' activity log alert configured
User has 'Power Off Virtual Machine' activity log alert configured
User has 'Rename Azure SQL Database' activity log alert configured
User has 'Update Key Vault' activity log alert configured
User has 'Update Security Policy' activity log alert configured

Azure.App Service

>

Azure App Service is set to always on

Azure.Appservice

>

Azure App Service has remote debugging disabled

Azure.Compute

>

Azure VM requires SSH Authentication

Azure.Dbforpostgresql

>

Azure PostgreSQL database server uses geo-redundant backups
Azure PostgreSQL Database Server uses the current major PostgreSQL version
Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server

Azure.Kubernetes

>

Azure Kubernetes Service (AKS) Private Cluster Feature is enabled

Azure.Network

>

Network Security Group does not use port ranges

Azure.Networkwatcher

>

Azure network service group log retention is properly set

Azure.Security

>

PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)

Azure.Storage

>

Blob Containers do not allow anonymous access
Immutable Blob Storage is enabled

Cloud Workload Security

>

AppArmor profile modified
Compiler wrote suspicious file
DNS lookup for cryptocurrency mining pool
DNS lookup for IP lookup service
DNS lookup for paste service
File created and executed inside container
Network utility executed with suspicious URI
Process arguments match cryptocurrency miner
Process injected into another process
PTRACE_TRACEME used to prevent process debugging
Pwnkit privilege escalation attempt
Python executed with suspicious arguments
Runc binary modified
Shell command history modified
Suspected dynamic linker hijacking attempt
Unfamiliar kernel module loaded
Unfamiliar kernel module loaded from memory
User created interactively

Cloudfront

>

Cloudfront distribution is encrypted
Cloudfront distribution is field-level encrypted
CloudFront distribution is integrated with WAF
CloudFront distribution's security policy is TLS v1.1 or greater
CloudFront logging is enabled
Cloudfront viewer is encrypted

Cloudtrail

>

A user received an anomalous number of AccessDenied errors
A user received multiple AccessDenied errors
An AWS account attempted to leave the AWS Organization
An AWS S3 bucket lifecycle expiration policy was set to disabled
An AWS S3 bucket lifecycle policy expiration is set to < 90 days
An AWS S3 bucket lifecycle policy was deleted
An AWS S3 bucket mfaDelete is disabled
An EC2 instance attempted to enumerate S3 bucket
Anomalous amount of access denied events for AWS EC2 Instance
Anomalous amount of Autoscaling Group events
Anomalous API Gateway API key reads by user
Anomalous number of assumed roles from user
Anomalous number of S3 buckets accessed
Anomalous S3 bucket activity from user ARN
AWS AMI Made Public
AWS CloudTrail configuration modified
AWS CloudWatch log group deleted
AWS CloudWatch rule disabled or deleted
AWS Config modified
AWS Console login without MFA
AWS ConsoleLogin with MFA triggered Impossible Travel scenario
AWS ConsoleLogin without MFA triggered Impossible Travel scenario
AWS Detective Graph deleted
AWS Disable Cloudtrail with event selectors
AWS EBS default encryption disabled
AWS EBS Snapshot Made Public
AWS EBS Snapshot possible exfiltration
AWS EC2 new event for application
AWS EC2 new event for EKS Node Group
AWS EC2 subnet deleted
AWS ECS cluster deleted
AWS EventBridge rule disabled or deleted
AWS FlowLogs removed
AWS GuardDuty detector deleted
AWS GuardDuty publishing destination deleted
AWS GuardDuty threat intel set deleted
AWS IAM policy changed
AWS IAM privileged policy was applied to a group
AWS IAM privileged policy was applied to a role
AWS IAM privileged policy was applied to a user
AWS Kinesis Firehose stream destination modified
AWS KMS key deleted or scheduled for deletion
AWS Network Access Control List created or modified
AWS Network Gateway created or modified
AWS RDS Cluster deleted
AWS root account activity
AWS Route 53 DNS query logging disabled
AWS Route 53 VPC disassociated from query logging configuration
AWS Route Table created or modified
AWS S3 Bucket ACL Made Public
AWS S3 Public Access Block removed
AWS security group created, modified or deleted
AWS Security Hub disabled
AWS VPC created or modified
AWS VPC Flow Log Deleted
AWS WAF traffic blocked by specific rule
AWS WAF traffic blocked by specific rule on multiple IPs
AWS WAF web access control list deleted
AWS WAF web access control list modified
CloudTrail global services are enabled
Compromised AWS EC2 Instance
Compromised AWS IAM User Access Key
Encrypted administrator password retrieved for Windows EC2 instance
New AWS Account Seen Assuming a Role into AWS Account
New EC2 Instance Type
New Private Repository Container Image detected in AWS ECR
New Public Repository Container Image detected in AWS ECR
New user seen executing a command in an ECS task
Possible AWS EC2 privilege escalation via the modification of user data
Possible Privilege Escalation via AWS IAM CreateLoginProfile
Possible RDS Snapshot Exfiltration
Potential administrative port open to the world via AWS security group
Potential brute force attack on AWS ConsoleLogin
Potential database port open to the world via AWS security group
S3 bucket policy modified
Security group open to the world
User enumerated AWS Secrets Manager - Anomaly
User enumerated AWS Systems Manager parameters - Anomaly
User travel was impossible in AWS CloudTrail IAM log

Dynamodb

>

DynamoDB table is encrypted

EBS

>

EBS snapshot is encrypted
EBS volume is encrypted
EBS volume snapshot is not publicly shared with other AWS accounts

EC2

>

Access to PostgreSQL Database Server port is restricted
AMI is not publicly shared
EC2 instance uses IMDSv2
Inbound CIFS access is restricted
Inbound DNS access is restricted
Inbound FTP access is restricted
Inbound HTTP access is restricted
Inbound HTTPS access is restricted
Inbound ICMP access is restricted
Inbound MongoDB access is restricted
Inbound MSSQL access is restricted
Inbound MySQL access is restricted
Inbound OpenSearch access is restricted
Inbound Oracle access is restricted
Inbound RPC access is restricted
Inbound SMTP access is restricted
Inbound SSH access is restricted
Inbound TCP NetBIOS access is restricted
Inbound Telnet access is restricted
Inbound UDP NetBIOS access is restricted
Outbound access on all ports is restricted

Elasticache

>

ElastiCache cluster is not using default ports
ElastiCache cluster is provisioned in a VPC
ElastiCache cluster is using the latest engine version

Elasticsearch

>

Elasticsearch cluster is using the latest engine version
Elasticsearch domain is not publicly accessible
Elasticsearch domain resides in a VPC
Elasticsearch domains are encrypted
Elasticsearch domains are encrypted with KMS Customer Master Keys

ELB

>

AWS ELB HTTP requests from security scanner
Classic Load Balancer listener is securely configured
ELB is generating access logs
ELBv2 Network Load Balancer listeners employ TLS or HTTPS

Elbv2

>

ELBv2 ALB is using a secure listener
ELBv2 is generating access logs
ELBv2 load balancer is using the latest security policy

Fastly

>

Fastly HTTP Requests from Security Scanner

File Integrity Monitoring

>

Credentials file modified
Critical system binary modified
Cron job modified
Kernel module directory modified
Name Service Switch configuration modified
SELinux enforcement disabled
SSH authorized keys modified
SSL certificate tampering
System authentication files modified
Systemd service modified

GCP

>

Access denied for Google Cloud Service Account
Anomalous number of Google Cloud Storage Buckets Accessed
Anomalous number of Google Cloud Storage Objects Accessed
Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
Google Cloud BigQuery - query results saved to cloud storage
Google Cloud BigQuery - query results saved to new table
Google Cloud BigQuery results saved to cloud storage by a previously unseen user
Google Cloud GCE instance startup script added or modified
Google Cloud IAM policy modified
Google Cloud IAM role created
Google Cloud IAM Role updated
Google Cloud Logging Bucket deleted
Google Cloud logging sink modified
Google Cloud Project external principal added as project owner
Google Cloud Pub/Sub Subscriber modified
Google Cloud Pub/Sub topic deleted
Google Cloud Service Account accessing anomalous number of Google Cloud APIs
Google Cloud Service Account created
Google Cloud Service Account Impersonation activity using access token generation
Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
Google Cloud Service Account key created
Google Cloud SQL database modified
Google Cloud SQL instance data exported to cloud storage
Google Cloud SQL instance data exported to cloud storage by a previously unseen user
Google Cloud Storage Bucket contents downloaded without authentication
Google Cloud Storage Bucket enumerated
Google Cloud Storage Bucket modified
Google Cloud Storage Bucket permissions modified
Google Cloud unauthorized service account activity
Google Cloud unauthorized user activity
Google Cloud VPC network modified
Google Compute Engine firewall rule modified
Google Compute Engine instance metadata SSH key added or modified
Google Compute Engine network route created or modified
Google Compute Engine project metadata SSH key added or modified

Gsuite

>

Google Workspace accessed by Google
Google Workspace admin role created
Google Workspace user assigned to super admin role
Google Workspace user forwarding email out of non Google Workspace domain
User attempted login with leaked password

Guardduty

>

AWS EC2 instance communicated with a malicious server
AWS EC2 instance communicating over unusual port
AWS EC2 instance communicating with a cryptocurrency server
AWS EC2 instance communicating with malicious IP
AWS EC2 instance conducting a port scan
AWS EC2 instance connecting to TOR as a relay
AWS EC2 instance inbound connections from TOR
AWS EC2 instance involved in brute force attack
AWS EC2 instance network traffic volume unusual
AWS EC2 instance outbound connections to TOR
AWS EC2 instance participating in a DoS attack
AWS EC2 instance probed by scanner
AWS EC2 instance Sending spam emails
AWS EC2 Instance Victim to Metadata DNS Rebind Attack
AWS GuardDuty finding
AWS IAM user changing sensitive configurations
AWS IAM user disabled S3 Block Public Access
AWS IAM user escalating privileges
AWS IAM user making API requests with hacking tools
AWS IAM user requests from malicious IP
AWS IAM user suspicious login
AWS Root credential activity

IAM

>

IAM access keys older than 1 year have not been used in the last 30 days
IAM privileged user does not have admin permissions to your AWS account
IAM role trust policy does not contain a wildcard principal
IAM server certificate will expire within 30 days

IIS

>

IIS HTTP requests from security scanner

Jumpcloud

>

Credential stuffing attack on Jumpcloud
Jumpcloud admin granted system privileges
Jumpcloud admin login without MFA
Jumpcloud admin triggered impossible travel scenario
Jumpcloud administrator role assigned
Jumpcloud policy created
Jumpcloud policy modified

Kubernetes

>

A Kubernetes user attempted to perform a high number of actions that were denied
A Kubernetes user was assigned cluster administrator permissions
A new Kubernetes admission controller was created
Anonymous Request Authorized
Kubernetes Pod Created in Kube Namespace
Kubernetes Pod Created with hostNetwork
Kubernetes principal attempted to enumerate their permissions
Kubernetes Service Account Created in Kube Namespace
Kubernetes Service Created with NodePort
New Kubernetes Namespace Created
New Kubernetes privileged pod created
User Attached to a Pod
User Exec into a Pod

Lambda

>

Lambda function has access to VPC resources
Lambda function is not publicly accessible
Lambda function uses latest runtime environment version

Microsoft 365

>

A new Microsoft 365 application was installed
A new Microsoft 365 Teams app is observed
Abnormal successful Microsoft 365 Exchange login event
Exchange Online mail forwarding rule enabled
Microsoft 365 Anomalous Amount of Deleted Emails
Microsoft 365 Anomalous Amount of Downloaded files
Microsoft 365 OneDrive Anonymous Link Created
Microsoft 365 SharePoint object shared with guest
Microsoft 365 Unified Audit Logging Disabled
Unusual Authentication by Microsoft 365 Azure AD Service Principal

Multi Log Sources

>

Base64 was detected in an http.user_agent or http.referrer
Credential stuffing attack
Log4j Scanner detected in user agent or referrer
Log4Shell Scanning Detected
Potential cryptomining detected through IP callback
Spring RCE post-exploitation activity attempted

Nginx

>

NGINX HTTP requests from security scanner

Nginx Ingress Controller

>

NGINX ingress controller HTTP requests from security scanner

Okta

>

Malicious authentication attempt detected by Okta ThreatInsight
Malicious IP Communicating with Okta
Multiple Okta push notifications denied
Okta administrator role assigned to user
Okta API Token Created or Enabled
Okta blocked numerous requests from a malicious IP
Okta Impersonation
Okta MFA Bypass Attempted
Okta MFA reset for user
Okta one-time refresh token reused
Okta policy rule deleted
Okta User Access Denied to Sign On
Okta User Attempted to Access Unauthorized App

Onelogin

>

OneLogin administrator assumed a user
OneLogin user granted administrative privileges
OneLogin user locked out
OneLogin user viewed secure note

RDS

>

RDS instance is not using the default port
RDS snapshot is not publicly accessible

Redshift

>

Redshift cluster is encrypted
Redshift cluster is not publicly accessible
Redshift cluster is not using a custom master user name
Redshift cluster is not using the default port
Redshift cluster is using the EC2-VPC platform
Redshift cluster logging is enabled
Version upgrade is enabled for Redshift cluster

Route53

>

EC2 instance requested a suspicious domain
EC2 instance resolved a suspicious AWS metadata DNS query

Runtime Security

>

Compiler executed in container
Container management utility in container
Database process spawned shell
Dirty Pipe exploitation attempted
Interactive shell spawned in container
Java process spawned shell
Local account password modified
Network scanning utility executed
Network utility accessed cloud metadata service
Network utility executed
Network utility executed in container
Package installed in container
Unfamiliar command spawned from web server
Unfamiliar process accessed AWS EKS service account token
Unfamiliar process accessed Kubernetes pod service account token

S3

>

S3 bucket ACL and bucket objects are not publicly readable
S3 bucket ACL is not viewable by all authenticated users
S3 bucket ACLs are configured to block public write actions
S3 bucket contents are not publicly exposed via bucket policy
S3 bucket has versioning enabled
S3 bucket is not publicly accessible
S3 bucket is not publicly writeable via bucket policy
S3 bucket MFA Delete feature is enabled
S3 bucket objects cannot be listed by all authenticated users

Salesforce

>

Anomalous amount of Salesforce query results
Anomalous amount of Salesforce records deleted
Credential stuffing attack on Salesforce
Salesforce Brute force attack on user
Salesforce Login from Disabled Account

Signal Sciences

>

Signal Sciences flagged an IP

SNS

>

SNS Topic has access restrictions set for subscription
SNS Topic has restrictions set for publishing
SNS Topic has server-side encryption
SNS Topic is not publicly accessible

Sqreen

>

Security Incident Detected by Sqreen
User Logged into an Application from a New Country

SQS

>

SQS Queue has server-side encryption
SQS Queue is not publicly accessible

Twistlock

>

Container image vulnerability detected
Container violated compliance standards

Vault

>

Vault Root Token
Vault Token Created with Excessive TTL

VPC

>

Network ACL inbound traffic is restricted
Network ACL outbound traffic is restricted
VPC endpoint is not publicly accessible

Windows

>

Windows Audit Log Cleared
Windows Directory Service Restore Mode password changed
Windows Domain Admin Group Changed
Windows Firewall Disabled
Windows Net command executed to enumerate administrators
Windows User Added to Domain Admin Group