- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This topic explains how to use the Agent Events explorer to query and review the Datadog Agent threat detection events generated by the out-of-the-box (OOTB) detection rules.
The Datadog Agent evaluates system activity on the Agent host. When activity matches an Agent rule expression, the Agent generates a detection event and passes it to the Datadog backend.
If an event matches an Agent detection rule and a backend Threat detection rule, a signal is created and displayed in Signals (Agent detection rule + backend Threat detection rule = Signal
).
With the Agent Events explorer, you can investigate Agent Events separately from signals. You can review the host path where the event happened, and view the event’s attributes, metrics, and processes. You can also review the Agent rule that generated the event and view triage and response instructions.
By default, all OOTB Agent crypto mining threat detection rules are enabled and actively monitoring for threats.
Active Protection enables you to proactively block and terminate crypto mining threats identified by the Datadog Agent threat detection rules.
To view Agent events, go to the Agent Events explorer.
Agent events are queried and displayed using the standard explorer controls in the Datadog Events explorer.
To investigate why an event is listed on the Agent Events explorer, select an event.
The event details include the attributes, metrics, and processes. Metrics links to the host dashboard and Processes links to the host process dashboard and process agent installation steps.
In Path, the latest process tree is displayed. This gives you the best overview of what occurred by showing you all of the commands that led to the command that initiated the event.
Path is often the best place to start your investigation of an event.
To triage an event: