このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Create custom rules using the Assisted rule creator

The Assisted rule creator option helps you create the Agent and dependent detection rules together, and ensures that the Agent rule is referenced in the detection rules. Using this tool is faster than the advanced method of creating the Agent and detection rules separately.

For details, see Creating Custom Detection Rules.

Agent expression syntax

Cloud Security Management Threats (CSM Threats) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CSM Threats rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:

<event-type>.<event-attribute> <operator> <value> [<operator> <event-type>.<event-attribute>] ...

Using this format, an example rule for a Linux system looks like this:

open.file.path == "/etc/shadow" && process.file.path not in ["/usr/sbin/vipw"]

Operators

SECL operators are used to combine event attributes together into a full expression. The following operators are available:

SECL OperatorTypesDefinitionAgent Version
==ProcessEqual7.27
!=FileNot equal7.27
>FileGreater7.27
>=FileGreater or equal7.27
<FileLesser7.27
<=FileLesser or equal7.27
!FileNot7.27
^FileBinary not7.27
in [elem1, ...]FileElement is contained in list7.27
not in [elem1, ...]FileElement is not contained in list7.27
=~FileString matching7.27
!~FileString not matching7.27
&FileBinary and7.27
|FileBinary or7.27
&&FileLogical and7.27
||FileLogical or7.27
in CIDRNetworkElement is in the IP range7.37
not in CIDRNetworkElement is not in the IP range7.37
allin CIDRNetworkAll the elements are in the IP range7.37
in [CIDR1, ...]NetworkElement is in the IP ranges7.37
not in [CIDR1, ...]NetworkElement is not in the IP ranges7.37
allin [CIDR1, ...]NetworkAll the elements are in the IP ranges7.37

Patterns and regular expressions

Patterns or regular expressions can be used in SECL expressions. They can be used with the in, not in, =~, and !~ operators.

FormatExampleSupported FieldsAgent Version
~"pattern"~"httpd.*"All7.27
r"regexp"r"rc[0-9]+"All except .path7.27

Patterns on .path fields will be used as Glob. * will match files and folders at the same level. **, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.

Duration

You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:

open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5s

Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.

Platform specific syntax

SECL expressions support several platforms. You can use the documentation below to see what attributes and helpers are available for each.