- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This topic explains how to create custom Datadog Agent and detection rules for CSM Threats.
In addition to the out of the box (OOTB) default Agent and detection rules, you can write custom Agent and detection rules. Custom rules help to detect events Datadog is not detecting with its OOTB rules.
Here are some important role and permissions to use for custom rules RBAC:
security_monitoring_cws_agent_rules_actions
permission can be used to turn on and configure the Active Protection feature. Active Protection enables you to proactively block and terminate crypto mining threats identified by the Datadog Agent threat detection rules.security_monitoring_cws_agent_rules_actions
permission, a user with the Datadog Admin role must create a role containing the security_monitoring_cws_agent_rules_actions
permission and then add only those users that manage Active Protection to this role.Custom detection rules depend on Agent rules. They are composed of existing, deployed Agent rules and additional expression parameters.
There are two use cases:
For more information, see CSM Threats Detection Rules.
You can create custom rules using these methods:
The Assisted rule creator option helps you create the Agent and dependent detection rules together, and ensures that the Agent rule is referenced in the detection rules. Using this tool is faster than the advanced method of creating the Agent and detection rules separately.
As you define the rules using this tool, the threat expressions generated for these rules are displayed in the tool.
To use the simple rule creator:
In Agent Configuration or Threat Detection Rules, select New Rule, and then select Assisted rule creator.
Define the detection. To monitor your resource effectively, you have the following detection type options:
Specify more conditions. Enter any arguments to add to the threat rule expression. For example, the argument foo
is added as process.argv in ["foo"]
.
Set severity and notification lists.
Add the rule name and description.
Here’s an example of a new FIM rule, including the expressions generated for each rule.
Select Create N Rules.
In Generate Rules, select Confirm. The rules are generated.
Select Finish. The Agent Configuration page displays the new rules.
In Agent Configuration, select Deploy Agent Policy.
You can create an individual custom Agent rule, deploy it as a new Agent policy, and reference it in a custom detection rule.
On the Agent Configuration page, select New Rule, and then select Manual rule creator.
Add a name and description for the rule.
In Expression, define the Agent expression using Datadog Security Language (SECL) syntax.
For example, to monitor for suspicious container clients:
exec.file.path in ["/usr/bin/docker", "/usr/local/bin/docker",
"/usr/bin/kubectl", "/usr/local/bin/kubectl"] && container.id != ""
Click Create Agent Rule. This automatically navigates you back to the Agent Configuration page.
After you create a custom Agent rule, the change is saved along with other pending rule updates. To apply the change to your environment, deploy the updated custom policy to the Agent.
Custom Agent rules are deployed to the Agent in a custom policy separate from the default policy. The custom policy contains custom Agent rules as well as default rules that have been disabled.
You can use Remote Configuration to automatically deploy the custom policy to your designated hosts (all hosts or a defined subset of hosts), or manually upload it to the Agent on each host.
Next, use the following instructions to upload the policy file to each host.
Copy the default.policy
file to the target host in the /etc/datadog-agent/runtime-security.d
folder. The file must have read
and write
access for the root
user on the host. This may require use of a utility such as SCP or FTP.
To apply the changes, restart the Datadog Agent.
Create a ConfigMap containing default.policy
, for example, kubectl create configmap jdefaultpol --from-file=default.policy
.
Add the ConfigMap (jdefaultpol
) to values.yaml
with datadog.securityAgent.runtime.policies.configMap
:
securityAgent:
# [...]
runtime:
# datadog.securityAgent.runtime.enabled
# Set to true to enable Security Runtime Module
enabled: true
policies:
# datadog.securityAgent.runtime.policies.configMap
# Place custom policies here
configMap: jdefaultpol
# [...]
Upgrade the Helm chart with helm upgrade <RELEASENAME> -f values.yaml --set datadog.apiKey=<APIKEY> datadog/datadog
.
Note: If you need to make further changes to default.policy
, you can either use kubectl edit cm jdefaultpol
or replace the configMap with kubectl create configmap jdefaultpol --from-file default.policy -o yaml --dry-run=client | kubectl replace -f -
.
After you upload the new default policy file to the Agent, navigate to the Threat Detection Rules page.
On the Threat Detection Rules page, select New Rule, and then select Manual rule creator.
Select a rule type:
Define search queries:
(||, &&)
. You can also set the counter, group by, and roll-up window.Set rule cases:
a>0
means a security signal triggers as long as the rule condition set in the search query is met at least once in the sliding time window.Say what’s happening:
Name the rule and add the notification message in Markdown format. Use Notification variables to provide specific details about the signal by referencing its tags and event attributes. After the message, add multiple tags to give more context to the signals generated by your custom rule.
To disable a default Agent rule, navigate to the Agent Configuration page and select the rule toggle. When you disable a default Agent rule, the change is saved along with other pending rule updates. To apply the change to your environment, deploy the updated custom policy to the Agent.