Supply-Chain Firewall unverified package manager command

Docs > Datadog Security > OOTB Rules > Supply-Chain Firewall unverified package manager command

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

This rule detects instances of Supply-Chain Firewall running a package manager command without verification, which occurs when the underlying package manager is on an unsupported version. Supply-Chain Firewall was therefore unable to resolve the command’s installation targets, if any.

Strategy

This rule monitors Supply-Chain Firewall’s logs for @verified:false. This attribute is set only in cases when Supply-Chain Firewall was unable to verify a package manager command it executed.

Triage and response

Examine the logs to determine the package manager command that was executed and whether the command may have installed packages.
Determine whether any packages that were installed have associated security advisories using:
- Datadog Security Research’s public malicious packages dataset
- OSV.dev’s public API or website
Based on the results of the previous step, take any necessary action to remediate the system where the command was executed.
If possible, update the affected package manager to a supported version to take advantage of Supply-Chain Firewall verification.