- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
The Assisted rule creator option helps you create the Agent and dependent detection rules together, and ensures that the Agent rule is referenced in the detection rules. Using this tool is faster than the advanced method of creating the Agent and detection rules separately.
For details, see Creating Custom Detection Rules.
Cloud Security Management Threats (CSM Threats) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CSM Threats rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
<event-type>.<event-attribute> <operator> <value> [<operator> <event-type>.<event-attribute>] ...
Using this format, an example rule for a Linux system looks like this:
open.file.path == "/etc/shadow" && process.file.path not in ["/usr/sbin/vipw"]
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
SECL Operator | Types | Definition | Agent Version |
---|---|---|---|
== | Process | Equal | 7.27 |
!= | File | Not equal | 7.27 |
> | File | Greater | 7.27 |
>= | File | Greater or equal | 7.27 |
< | File | Lesser | 7.27 |
<= | File | Lesser or equal | 7.27 |
! | File | Not | 7.27 |
^ | File | Binary not | 7.27 |
in [elem1, ...] | File | Element is contained in list | 7.27 |
not in [elem1, ...] | File | Element is not contained in list | 7.27 |
=~ | File | String matching | 7.27 |
!~ | File | String not matching | 7.27 |
& | File | Binary and | 7.27 |
| | File | Binary or | 7.27 |
&& | File | Logical and | 7.27 |
|| | File | Logical or | 7.27 |
in CIDR | Network | Element is in the IP range | 7.37 |
not in CIDR | Network | Element is not in the IP range | 7.37 |
allin CIDR | Network | All the elements are in the IP range | 7.37 |
in [CIDR1, ...] | Network | Element is in the IP ranges | 7.37 |
not in [CIDR1, ...] | Network | Element is not in the IP ranges | 7.37 |
allin [CIDR1, ...] | Network | All the elements are in the IP ranges | 7.37 |
Patterns or regular expressions can be used in SECL expressions. They can be used with the in
, not in
, =~
, and !~
operators.
Format | Example | Supported Fields | Agent Version |
---|---|---|---|
~"pattern" | ~"httpd.*" | All | 7.27 |
r"regexp" | r"rc[0-9]+" | All except .path | 7.27 |
Patterns on .path
fields will be used as Glob. *
will match files and folders at the same level. **
, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.
You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:
open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5s
Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.
SECL expressions support several platforms. You can use the documentation below to see what attributes and helpers are available for each.