- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This documentation describes Windows attributes and helpers of the Datadog’s Security Language (SECL).
Rules using Windows attributes and helpers must include an OS rule filter field as follows.
id: [...]
expression: [...]
filters:
- os == "windows"
Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
SECL Event | Type | Definition | Agent Version |
---|---|---|---|
change_permission | Registry | A permission change was made | 7.55 |
create | File | A file was created | 7.52 |
create_key | Registry | A registry key was created | 7.52 |
delete | File | A file was deleted | 7.54 |
delete_key | Registry | A registry key was deleted | 7.52 |
exec | Process | A process was executed or forked | 7.27 |
exit | Process | A process was terminated | 7.38 |
open_key | Registry | A registry key was opened | 7.52 |
rename | File | A file was renamed | 7.54 |
set_key_value | Registry | A registry key value was set | 7.52 |
write | File | A file was written | 7.54 |
SECL variables are predefined variables that can be used as values or as part of values.
For example, rule using a process.pid
variable looks like this:
open.file.path == "/proc/${process.pid}/maps"
List of the available variables:
SECL Variable | Definition | Agent Version |
---|---|---|
process.pid | Process PID | 7.33 |
Property | Definition |
---|---|
container.created_at | Timestamp of the creation of the container |
container.id | ID of the container |
container.runtime | Runtime managing the container |
container.tags | Tags of the container |
event.hostname | Hostname associated with the event |
event.origin | Origin of the event |
event.os | Operating system of the event |
event.service | Service associated with the event |
event.timestamp | Timestamp of the event |
process.ancestors.cmdline | Command line of the process |
process.ancestors.container.id | Container ID |
process.ancestors.created_at | Timestamp of the creation of the process |
process.ancestors.envp | Environment variables of the process |
process.ancestors.envs | Environment variable names of the process |
process.ancestors.file.name | File’s basename |
process.ancestors.file.name.length | Length of the corresponding string |
process.ancestors.file.path | File’s path |
process.ancestors.file.path.length | Length of the corresponding string |
process.ancestors.pid | Process ID of the process (also called thread group ID) |
process.ancestors.ppid | Parent process ID |
process.ancestors.user | User name |
process.ancestors.user_sid | Sid of the user of the process |
process.cmdline | Command line of the process |
process.container.id | Container ID |
process.created_at | Timestamp of the creation of the process |
process.envp | Environment variables of the process |
process.envs | Environment variable names of the process |
process.file.name | File’s basename |
process.file.name.length | Length of the corresponding string |
process.file.path | File’s path |
process.file.path.length | Length of the corresponding string |
process.parent.cmdline | Command line of the process |
process.parent.container.id | Container ID |
process.parent.created_at | Timestamp of the creation of the process |
process.parent.envp | Environment variables of the process |
process.parent.envs | Environment variable names of the process |
process.parent.file.name | File’s basename |
process.parent.file.name.length | Length of the corresponding string |
process.parent.file.path | File’s path |
process.parent.file.path.length | Length of the corresponding string |
process.parent.pid | Process ID of the process (also called thread group ID) |
process.parent.ppid | Parent process ID |
process.parent.user | User name |
process.parent.user_sid | Sid of the user of the process |
process.pid | Process ID of the process (also called thread group ID) |
process.ppid | Parent process ID |
process.user | User name |
process.user_sid | Sid of the user of the process |
change_permission
A permission change was made
Property | Definition |
---|---|
change_permission.new_sd | New Security Descriptor of the object of which permission was changed |
change_permission.old_sd | Original Security Descriptor of the object of which permission was changed |
change_permission.path | Name of the object of which permission was changed |
change_permission.type | Type of the object of which permission was changed |
change_permission.user_domain | Domain name of the permission change author |
change_permission.username | Username of the permission change author |
create
A file was created
Property | Definition |
---|---|
create.file.device_path | File’s path |
create.file.device_path.length | Length of the corresponding string |
create.file.name | File’s basename |
create.file.name.length | Length of the corresponding string |
create.file.path | File’s path |
create.file.path.length | Length of the corresponding string |
create_key
A registry key was created
Property | Definition |
---|---|
create.registry.key_name | Registry’s name |
create.registry.key_name.length | Length of the corresponding string |
create.registry.key_path | Registry’s path |
create.registry.key_path.length | Length of the corresponding string |
create_key.registry.key_name | Registry’s name |
create_key.registry.key_name.length | Length of the corresponding string |
create_key.registry.key_path | Registry’s path |
create_key.registry.key_path.length | Length of the corresponding string |
delete
A file was deleted
Property | Definition |
---|---|
delete.file.device_path | File’s path |
delete.file.device_path.length | Length of the corresponding string |
delete.file.name | File’s basename |
delete.file.name.length | Length of the corresponding string |
delete.file.path | File’s path |
delete.file.path.length | Length of the corresponding string |
delete_key
A registry key was deleted
Property | Definition |
---|---|
delete.registry.key_name | Registry’s name |
delete.registry.key_name.length | Length of the corresponding string |
delete.registry.key_path | Registry’s path |
delete.registry.key_path.length | Length of the corresponding string |
delete_key.registry.key_name | Registry’s name |
delete_key.registry.key_name.length | Length of the corresponding string |
delete_key.registry.key_path | Registry’s path |
delete_key.registry.key_path.length | Length of the corresponding string |
exec
A process was executed or forked
Property | Definition |
---|---|
exec.cmdline | Command line of the process |
exec.container.id | Container ID |
exec.created_at | Timestamp of the creation of the process |
exec.envp | Environment variables of the process |
exec.envs | Environment variable names of the process |
exec.file.name | File’s basename |
exec.file.name.length | Length of the corresponding string |
exec.file.path | File’s path |
exec.file.path.length | Length of the corresponding string |
exec.pid | Process ID of the process (also called thread group ID) |
exec.ppid | Parent process ID |
exec.user | User name |
exec.user_sid | Sid of the user of the process |
exit
A process was terminated
Property | Definition |
---|---|
exit.cause | Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED) |
exit.cmdline | Command line of the process |
exit.code | Exit code of the process or number of the signal that caused the process to terminate |
exit.container.id | Container ID |
exit.created_at | Timestamp of the creation of the process |
exit.envp | Environment variables of the process |
exit.envs | Environment variable names of the process |
exit.file.name | File’s basename |
exit.file.name.length | Length of the corresponding string |
exit.file.path | File’s path |
exit.file.path.length | Length of the corresponding string |
exit.pid | Process ID of the process (also called thread group ID) |
exit.ppid | Parent process ID |
exit.user | User name |
exit.user_sid | Sid of the user of the process |
open_key
A registry key was opened
Property | Definition |
---|---|
open.registry.key_name | Registry’s name |
open.registry.key_name.length | Length of the corresponding string |
open.registry.key_path | Registry’s path |
open.registry.key_path.length | Length of the corresponding string |
open_key.registry.key_name | Registry’s name |
open_key.registry.key_name.length | Length of the corresponding string |
open_key.registry.key_path | Registry’s path |
open_key.registry.key_path.length | Length of the corresponding string |
rename
A file was renamed
Property | Definition |
---|---|
rename.file.destination.device_path | File’s path |
rename.file.destination.device_path.length | Length of the corresponding string |
rename.file.destination.name | File’s basename |
rename.file.destination.name.length | Length of the corresponding string |
rename.file.destination.path | File’s path |
rename.file.destination.path.length | Length of the corresponding string |
rename.file.device_path | File’s path |
rename.file.device_path.length | Length of the corresponding string |
rename.file.name | File’s basename |
rename.file.name.length | Length of the corresponding string |
rename.file.path | File’s path |
rename.file.path.length | Length of the corresponding string |
set_key_value
A registry key value was set
Property | Definition |
---|---|
set.registry.key_name | Registry’s name |
set.registry.key_name.length | Length of the corresponding string |
set.registry.key_path | Registry’s path |
set.registry.key_path.length | Length of the corresponding string |
set.registry.value_name | Registry’s value name |
set.registry.value_name.length | Length of the corresponding string |
set.value_name | Registry’s value name |
set_key_value.registry.key_name | Registry’s name |
set_key_value.registry.key_name.length | Length of the corresponding string |
set_key_value.registry.key_path | Registry’s path |
set_key_value.registry.key_path.length | Length of the corresponding string |
set_key_value.registry.value_name | Registry’s value name |
set_key_value.registry.value_name.length | Length of the corresponding string |
set_key_value.value_name | Registry’s value name |
write
A file was written
Property | Definition |
---|---|
write.file.device_path | File’s path |
write.file.device_path.length | Length of the corresponding string |
write.file.name | File’s basename |
write.file.name.length | Length of the corresponding string |
write.file.path | File’s path |
write.file.path.length | Length of the corresponding string |
*.cmdline
Type: string
Definition: Command line of the process
*.cmdline
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
Example:
exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"
Matches any process with these exact arguments.
Example:
exec.cmdline =~ "* -F * http*"
Matches any process that has the “-F” argument anywhere before an argument starting with “http”.
*.container.id
Type: string
Definition: Container ID
*.container.id
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.created_at
Type: int
Definition: Timestamp of the creation of the process
*.created_at
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.device_path
Type: string
Definition: File’s path
*.device_path
has 5 possible prefixes:
create.file
delete.file
rename.file
rename.file.destination
write.file
Example:
create.file.device_path == "\device\harddisk1\cmd.bat"
Matches the creation of the file located at c:\cmd.bat
*.envp
Type: string
Definition: Environment variables of the process
*.envp
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.envs
Type: string
Definition: Environment variable names of the process
*.envs
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.key_name
Type: string
Definition: Registry’s name
*.key_name
has 8 possible prefixes:
create.registry
create_key.registry
delete.registry
delete_key.registry
open.registry
open_key.registry
set.registry
set_key_value.registry
*.key_path
Type: string
Definition: Registry’s path
*.key_path
has 8 possible prefixes:
create.registry
create_key.registry
delete.registry
delete_key.registry
open.registry
open_key.registry
set.registry
set_key_value.registry
*.length
Type: int
Definition: Length of the corresponding string
*.length
has 43 possible prefixes:
create.file.device_path
create.file.name
create.file.path
create.registry.key_name
create.registry.key_path
create_key.registry.key_name
create_key.registry.key_path
delete.file.device_path
delete.file.name
delete.file.path
delete.registry.key_name
delete.registry.key_path
delete_key.registry.key_name
delete_key.registry.key_path
exec.file.name
exec.file.path
exit.file.name
exit.file.path
open.registry.key_name
open.registry.key_path
open_key.registry.key_name
open_key.registry.key_path
process.ancestors.file.name
process.ancestors.file.path
process.file.name
process.file.path
process.parent.file.name
process.parent.file.path
rename.file.destination.device_path
rename.file.destination.name
rename.file.destination.path
rename.file.device_path
rename.file.name
rename.file.path
set.registry.key_name
set.registry.key_path
set.registry.value_name
set_key_value.registry.key_name
set_key_value.registry.key_path
set_key_value.registry.value_name
write.file.device_path
write.file.name
write.file.path
*.name
Type: string
Definition: File’s basename
*.name
has 5 possible prefixes:
exec.file
exit.file
process.ancestors.file
process.file
process.parent.file
Example:
exec.file.name == "cmd.bat"
Matches the execution of any file named cmd.bat.
*.name
Type: string
Definition: File’s basename
*.name
has 5 possible prefixes:
create.file
delete.file
rename.file
rename.file.destination
write.file
Example:
create.file.name == "cmd.bat"
Matches the creation of any file named cmd.bat.
*.path
Type: string
Definition: File’s path
*.path
has 5 possible prefixes:
exec.file
exit.file
process.ancestors.file
process.file
process.parent.file
Example:
exec.file.path == "c:\cmd.bat"
Matches the execution of the file located at c:\cmd.bat
*.path
Type: string
Definition: File’s path
*.path
has 5 possible prefixes:
create.file
delete.file
rename.file
rename.file.destination
write.file
Example:
create.file.path == "c:\cmd.bat"
Matches the creation of the file located at c:\cmd.bat
*.pid
Type: int
Definition: Process ID of the process (also called thread group ID)
*.pid
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.ppid
Type: int
Definition: Parent process ID
*.ppid
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.registry.value_name
Type: string
Definition: Registry’s value name
*.registry.value_name
has 2 possible prefixes:
set
set_key_value
*.user
Type: string
Definition: User name
*.user
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.user_sid
Type: string
Definition: Sid of the user of the process
*.user_sid
has 5 possible prefixes:
exec
exit
process
process.ancestors
process.parent
*.value_name
Type: string
Definition: Registry’s value name
*.value_name
has 2 possible prefixes:
set
set_key_value
change_permission.new_sd
Type: string
Definition: New Security Descriptor of the object of which permission was changed
change_permission.old_sd
Type: string
Definition: Original Security Descriptor of the object of which permission was changed
change_permission.path
Type: string
Definition: Name of the object of which permission was changed
change_permission.type
Type: string
Definition: Type of the object of which permission was changed
change_permission.user_domain
Type: string
Definition: Domain name of the permission change author
change_permission.username
Type: string
Definition: Username of the permission change author
container.created_at
Type: int
Definition: Timestamp of the creation of the container
container.id
Type: string
Definition: ID of the container
container.runtime
Type: string
Definition: Runtime managing the container
container.tags
Type: string
Definition: Tags of the container
event.hostname
Type: string
Definition: Hostname associated with the event
event.origin
Type: string
Definition: Origin of the event
event.os
Type: string
Definition: Operating system of the event
event.service
Type: string
Definition: Service associated with the event
event.timestamp
Type: int
Definition: Timestamp of the event
exit.cause
Type: int
Definition: Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
exit.code
Type: int
Definition: Exit code of the process or number of the signal that caused the process to terminate
Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.
Boolean constants
Boolean constants are the supported boolean constants.
Name | Architectures |
---|---|
true | all |
false | all |
DNS qclasses
DNS qclasses are the supported DNS query classes.
Name | Architectures |
---|---|
CLASS_INET | all |
CLASS_CSNET | all |
CLASS_CHAOS | all |
CLASS_HESIOD | all |
CLASS_NONE | all |
CLASS_ANY | all |
DNS qtypes
DNS qtypes are the supported DNS query types.
Name | Architectures |
---|---|
None | all |
A | all |
NS | all |
MD | all |
MF | all |
CNAME | all |
SOA | all |
MB | all |
MG | all |
MR | all |
NULL | all |
PTR | all |
HINFO | all |
MINFO | all |
MX | all |
TXT | all |
RP | all |
AFSDB | all |
X25 | all |
ISDN | all |
RT | all |
NSAPPTR | all |
SIG | all |
KEY | all |
PX | all |
GPOS | all |
AAAA | all |
LOC | all |
NXT | all |
EID | all |
NIMLOC | all |
SRV | all |
ATMA | all |
NAPTR | all |
KX | all |
CERT | all |
DNAME | all |
OPT | all |
APL | all |
DS | all |
SSHFP | all |
RRSIG | all |
NSEC | all |
DNSKEY | all |
DHCID | all |
NSEC3 | all |
NSEC3PARAM | all |
TLSA | all |
SMIMEA | all |
HIP | all |
NINFO | all |
RKEY | all |
TALINK | all |
CDS | all |
CDNSKEY | all |
OPENPGPKEY | all |
CSYNC | all |
ZONEMD | all |
SVCB | all |
HTTPS | all |
SPF | all |
UINFO | all |
UID | all |
GID | all |
UNSPEC | all |
NID | all |
L32 | all |
L64 | all |
LP | all |
EUI48 | all |
EUI64 | all |
URI | all |
CAA | all |
AVC | all |
TKEY | all |
TSIG | all |
IXFR | all |
AXFR | all |
MAILB | all |
MAILA | all |
ANY | all |
TA | all |
DLV | all |
Reserved | all |
L3 protocols
L3 protocols are the supported Layer 3 protocols.
Name | Architectures |
---|---|
ETH_P_LOOP | all |
ETH_P_PUP | all |
ETH_P_PUPAT | all |
ETH_P_TSN | all |
ETH_P_IP | all |
ETH_P_X25 | all |
ETH_P_ARP | all |
ETH_P_BPQ | all |
ETH_P_IEEEPUP | all |
ETH_P_IEEEPUPAT | all |
ETH_P_BATMAN | all |
ETH_P_DEC | all |
ETH_P_DNADL | all |
ETH_P_DNARC | all |
ETH_P_DNART | all |
ETH_P_LAT | all |
ETH_P_DIAG | all |
ETH_P_CUST | all |
ETH_P_SCA | all |
ETH_P_TEB | all |
ETH_P_RARP | all |
ETH_P_ATALK | all |
ETH_P_AARP | all |
ETH_P_8021_Q | all |
ETH_P_ERSPAN | all |
ETH_P_IPX | all |
ETH_P_IPV6 | all |
ETH_P_PAUSE | all |
ETH_P_SLOW | all |
ETH_P_WCCP | all |
ETH_P_MPLSUC | all |
ETH_P_MPLSMC | all |
ETH_P_ATMMPOA | all |
ETH_P_PPPDISC | all |
ETH_P_PPPSES | all |
ETH_P__LINK_CTL | all |
ETH_P_ATMFATE | all |
ETH_P_PAE | all |
ETH_P_AOE | all |
ETH_P_8021_AD | all |
ETH_P_802_EX1 | all |
ETH_P_TIPC | all |
ETH_P_MACSEC | all |
ETH_P_8021_AH | all |
ETH_P_MVRP | all |
ETH_P_1588 | all |
ETH_P_NCSI | all |
ETH_P_PRP | all |
ETH_P_FCOE | all |
ETH_P_IBOE | all |
ETH_P_TDLS | all |
ETH_P_FIP | all |
ETH_P_80221 | all |
ETH_P_HSR | all |
ETH_P_NSH | all |
ETH_P_LOOPBACK | all |
ETH_P_QINQ1 | all |
ETH_P_QINQ2 | all |
ETH_P_QINQ3 | all |
ETH_P_EDSA | all |
ETH_P_IFE | all |
ETH_P_AFIUCV | all |
ETH_P_8023_MIN | all |
ETH_P_IPV6_HOP_BY_HOP | all |
ETH_P_8023 | all |
ETH_P_AX25 | all |
ETH_P_ALL | all |
ETH_P_8022 | all |
ETH_P_SNAP | all |
ETH_P_DDCMP | all |
ETH_P_WANPPP | all |
ETH_P_PPPMP | all |
ETH_P_LOCALTALK | all |
ETH_P_CAN | all |
ETH_P_CANFD | all |
ETH_P_PPPTALK | all |
ETH_P_TR8022 | all |
ETH_P_MOBITEX | all |
ETH_P_CONTROL | all |
ETH_P_IRDA | all |
ETH_P_ECONET | all |
ETH_P_HDLC | all |
ETH_P_ARCNET | all |
ETH_P_DSA | all |
ETH_P_TRAILER | all |
ETH_P_PHONET | all |
ETH_P_IEEE802154 | all |
ETH_P_CAIF | all |
ETH_P_XDSA | all |
ETH_P_MAP | all |
L4 protocols
L4 protocols are the supported Layer 4 protocols.
Name | Architectures |
---|---|
IP_PROTO_IP | all |
IP_PROTO_ICMP | all |
IP_PROTO_IGMP | all |
IP_PROTO_IPIP | all |
IP_PROTO_TCP | all |
IP_PROTO_EGP | all |
IP_PROTO_IGP | all |
IP_PROTO_PUP | all |
IP_PROTO_UDP | all |
IP_PROTO_IDP | all |
IP_PROTO_TP | all |
IP_PROTO_DCCP | all |
IP_PROTO_IPV6 | all |
IP_PROTO_RSVP | all |
IP_PROTO_GRE | all |
IP_PROTO_ESP | all |
IP_PROTO_AH | all |
IP_PROTO_ICMPV6 | all |
IP_PROTO_MTP | all |
IP_PROTO_BEETPH | all |
IP_PROTO_ENCAP | all |
IP_PROTO_PIM | all |
IP_PROTO_COMP | all |
IP_PROTO_SCTP | all |
IP_PROTO_UDPLITE | all |
IP_PROTO_MPLS | all |
IP_PROTO_RAW | all |
추가 유용한 문서, 링크 및 기사: