OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of Datadog Security. OOTB rules are available for Cloud SIEM, Posture Management, which is divided into cloud or infrastructure configuration, Workload Security, and Application Security Management.

AllAPPLICATION SECURITYCLOUD SECURITY MANAGEMENTCLOUD SIEM (LOG DETECTION)CLOUD SIEM (SIGNAL CORRELATION)POSTURE MANAGEMENT (CLOUD)POSTURE MANAGEMENT (INFRA)WORKLOAD SECURITY

ACM

>

ACM certificate has been validated
ACM certificate is active
ACM certificate is set to be active past the next 7 days
ACM certificate is valid for 30 or more days

Amazon Fsx

>

AWS FSx Excessive File Denied

Apache

>

Apache HTTP requests from security scanner

Application Security

>

Cassandra injection vulnerability triggered
CQL injections attempts on routes performing Cassandra queries
Credential Stuffing attack
Excessive account creations from an IP
Excessive account deletion from an IP
Excessive payment failures from IP
Local File Inclusion (LFI) attack attempts
Log4shell RCE attempts - CVE-2021-44228
Log4shell vulnerability triggered (RCE) - CVE-2021-44228
Mongo injections attempted on route performing Mongo queries
OGNL injection attack attempts on routes parsing OGNL
OGNL injection attempts on route processing OGNL expressions
Password reset brute force attempts
Rate limited activity from IP
Reflected XSS attempts on routes returning HTML
Resource enumeration detected
Security scanner detected
Spring4shell RCE attempts - CVE-2022-22963
SQL injection attempts on routes performing SQL queries
SQL injection vulnerability triggered
SSRF attempts on route executing network queries
SSRF vulnerability triggered
Unauthenticated activity detected
Unauthorized activity detected
User activity detected from outside authorized countries
User activity detected from unauthorized countries
User activity from Tor

Auth0

>

Auth0 user logged in with a breached password
Brute force attack on an Auth0 user
Credential stuffing attack on Auth0
Impossible Travel Auth0 login

AWS

>

AWS Verified Access anomalous failed authentication attempts by host
AWS Verified Access anomalous failed authentication attempts by IP
AWS Verified Access anomalous failed authentication attempts by user
Brute forced ConsoleLogin event correlates with an assumed role event
ConsoleLogin event correlates privileged policy applying to a role
Impossible travel event leads to permission enumeration

AWS Eks Cluster

>

AWS EKS cluster has private endpoint enabled and public access disabled
AWS EKS cluster public network access is restricted

AWS Logging Log Metric

>

Log metric filter and alarm exist for AWS config configuration changes
Log metric filter and alarm exist for AWS management console authentication failures
Log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Log metric filter and alarm exist for CloudTrail configuration changes
Log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Log metric filter and alarm exist for IAM policy changes
Log metric filter and alarm exist for management console sign-in without MFA
Log metric filter and alarm exist for route table changes
Log metric filter and alarm exist for S3 bucket policy changes
Log metric filter and alarm exist for security group changes
Log metric filter and alarm exist for unauthorized API calls
Log metric filter and alarm exist for usage of 'root' account
Log metric filter and alarm exist for VPC changes
Log metric filter and alarm exists for AWS organizations changes
Log metric filter and alarm exists for changes to network gateways

Azure

>

Azure Active Directory risky sign-in
Azure AD brute force login
Azure AD Identity Protection risky user
Azure AD Login Without MFA
Azure AD member assigned built-in Administrator role
Azure AD member assigned Global Administrator role
Azure AD Privileged Identity Management member assigned
Azure Datadog Log Forwarder Deleted
Azure diagnostic setting deleted or disabled
Azure disk export URI created
Azure Firewall Threat Intelligence Alert
Azure Frontdoor WAF Blocked a Request
Azure Frontdoor WAF Logged a Request
Azure Login Explicitly Denied MFA
Azure Network Security Group Open to the World
Azure Network Security Groups or Rules Created, Modified, or Deleted
Azure new owner added for service principal
Azure New Owner added to Azure Active Directory application
Azure New Service Principal created
Azure Policy Assignment Created
Azure Service Principal was assigned a role
Azure snapshot export URI created
Azure SQL Server Firewall Rules Created or Modified
Azure user invited an external user
Azure user ran command on container instance
Azure user viewed CosmosDB access keys
Azure user viewed CosmosDB connection string
Brute-forced user has assigned a role
Credential added to Azure AD application
Credential added to rarely used Azure AD application
Credential Stuffing Attack on Azure
Microsoft 365 - Modification of Trusted Domain
Potential Illicit Consent Grant attack via Azure registered application
Tor client IP address identified within Azure environment
User ran a command on Azure Compute

Azure.Active Directory

>

Azure subscription custom administrator roles are disabled

Azure.Activity Log

>

User has 'Create or Update Load Balancer' activity log alert configured
User has 'Create or Update Network Security Group' activity log alert configured
User has 'Create or Update Security Solutions' activity log alert configured
User has 'Create or Update SQL Server Firewall Rule' activity log alert configured
User has 'Create or Update Storage Accounts' activity log alert configured
User has 'Create or Update Virtual Machines' activity log alert configured
User has 'Create Policy Assignment' activity log alert configured
User has 'Create Update Azure SQL Database' activity log alert configured
User has 'Create Update MySQL Database' activity log alert configured
User has 'Create Update PostgreSQL Database' activity log alert configured
User has 'Deallocate Virtual Machines' activity log alert configured
User has 'Delete Azure SQL Database' activity log alert configured
User has 'Delete Key Vault' activity log alert configured
User has 'Delete Load Balancer' activity log alert configured
User has 'Delete MySQL Database' activity log alert configured
User has 'Delete Network Security Group' activity log alert configured
User has 'Delete Policy Assignment' activity log alert configured
User has 'Delete PostgreSQL Database' activity log alert configured
User has 'Delete Security Solution' activity log alert configured
User has 'Delete SQL Server Firewall Rule' activity log alert configured
User has 'Delete Storage Accounts' activity log alert configured
User has 'Delete Virtual Machines' activity log alert configured
User has 'Power Off Virtual Machine' activity log alert configured
User has 'Rename Azure SQL Database' activity log alert configured
User has 'Update Key Vault' activity log alert configured
User has 'Update Security Policy' activity log alert configured

Azure.App Service

>

Azure App Service is set to always on

Azure.Appservice

>

Azure App Service has remote debugging disabled
Azure HTTP version is the latest available
Azure is using the latest version of Java to run Web Apps
Azure is using the latest version of PHP to run Web Apps
Azure is using the latest version of Python to run Web Apps
FTP deployments are disabled
Register with Azure Active Directory is enabled on App Service
Web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Web app is using the latest version of TLS encryption
Web app redirects all HTTP traffic to HTTPS in Azure App Service

Azure.Compute

>

'OS and Data' disks are encrypted with CMK
'Unattached disks' are encrypted with CMK
Azure VM requires SSH Authentication
Virtual Machines are utilizing Managed Disks

Azure.Dbformysql

>

SSL connection on MySQL Database Server is enabled

Azure.Dbforpostgresql

>

Access to Azure services for PostgreSQL Database Server is disabled
Azure PostgreSQL database server uses geo-redundant backups
Azure PostgreSQL Database Server uses the current major PostgreSQL version
Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
SSL connection on PostgreSQL Database Server is enabled

Azure.Keyvault

>

All keys in Azure Key Vault have an expiration time set
All secrets in the Azure Key Vault have an expiration time set
Azure Key Vault is recoverable

Azure.Kubernetes

>

Azure Kubernetes Service (AKS) Private Cluster Feature is enabled
RBAC within Azure Kubernetes Services is enabled

Azure.Monitor

>

Diagnostic Setting captures appropriate categories

Azure.Network

>

Network Security Group is configured with specific port rules to restrict unauthorized access

Azure.Networkwatcher

>

Network Security Group Flow Log retention period is 'greater than 90 days'

Azure.Policy

>

'Automatic provisioning of monitoring agent' is set to 'On'

Azure.Security

>

Azure Security Center is configured to send email notifications about security alerts to subscription owners
Azure Security Center is configured to send email notifications about security alerts with High severity
Azure Security Center is configured with a security contact email
PostgreSQL Database ingress traffic is restricted to specified IP addresses
RDP access is restricted from the Internet
SQL Databases only allow ingress traffic from specific IP addresses
SSH access is restricted from the Internet
UDP Services are restricted from the Internet

Azure.Sql

>

Audit data for Azure SQL is retained for at least 90 days
Auditing on SQL Server is enabled
Azure Active Directory Admin is configured for Azure SQL
Data encryption on SQL Database Server is enabled
SQL Server Vulnerability Assessments send scan reports to subscribed admins
SQL server's Transparent Data Encryption (TDE) protector is encrypted with a customer-managed key
Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server

Azure.Storage

>

'Blob public access' is disabled for storage accounts with blob containers
'Secure transfer required' is set to 'Enabled'
'Trusted Microsoft Services' is enabled for Storage Account access
Blob Containers anonymous access is restricted
Default network access rule for Storage Accounts is set to deny
Soft delete is enabled for Azure Storage
Storage account containing the blob container with activity logs is encrypted with Customer Managed Key
Storage containers storing activity logs are accessible only by authorized personnel
Storage for critical data is encrypted with Customer Managed Key

Cloud Workload Security

>

AppArmor profile modified
Compiler executed in container
Compiler wrote suspicious file
Container management utility in container
Database process spawned shell
Dirty Pipe exploitation attempted
DNS lookup for cryptocurrency mining pool
DNS lookup for IP lookup service
DNS lookup for paste service
Exfiltration attempt via network utility
File created and executed inside container
Interactive shell spawned in container
Java process spawned shell
Local account password modified
Memfd object created
Network scanning utility executed
Network utility accessed cloud metadata service
Network utility executed
Network utility executed in container
Network utility executed with suspicious URI
Package installed in container
Process arguments match cryptocurrency miner
Process injected into another process
PTRACE_TRACEME used to prevent process debugging
Pwnkit privilege escalation attempt
Python executed with suspicious arguments
Runc binary modified
Shell command history modified
Suspected dynamic linker hijacking attempt
Unfamiliar command spawned from web server
Unfamiliar kernel module loaded
Unfamiliar kernel module loaded from memory
Unfamiliar process accessed AWS EKS service account token
Unfamiliar process accessed Kubernetes pod service account token
User created interactively

Cloudfront

>

Cloudfront distribution is encrypted
Cloudfront distribution is field-level encrypted
CloudFront distribution is integrated with WAF
CloudFront distribution's security policy is TLS v1.1 or greater
CloudFront logging is enabled
Cloudfront viewer is encrypted

Cloudtrail

>

A user received an anomalous number of AccessDenied errors
Amazon S3 bucket policy modified
Amazon SES enumeration attempt by previously unseen user
Amazon SES modification attempt
An AWS account attempted to leave the AWS Organization
An AWS S3 bucket lifecycle expiration policy was set to disabled
An AWS S3 bucket lifecycle policy expiration is set to < 90 days
An AWS S3 bucket mfaDelete is disabled
An EC2 instance attempted to enumerate S3 bucket
Anomalous amount of access denied events for AWS EC2 Instance
Anomalous amount of Autoscaling Group events
Anomalous API Gateway API key reads by user
Anomalous number of assumed roles from user
Anomalous number of S3 buckets accessed
Anomalous S3 bucket activity from user ARN
At least one CloudTrail trail is multi-region per AWS account
AWS AMI Made Public
AWS CloudTrail configuration modified
AWS CloudWatch log group deleted
AWS CloudWatch rule disabled or deleted
AWS Config modified
AWS Console login without MFA
AWS ConsoleLogin with MFA triggered Impossible Travel scenario
AWS ConsoleLogin without MFA triggered Impossible Travel scenario
AWS Detective Graph deleted
AWS Disable Cloudtrail with event selectors
AWS EBS default encryption disabled
AWS EBS Snapshot Made Public
AWS EBS Snapshot possible exfiltration
AWS EC2 new event for application
AWS EC2 new event for EKS Node Group
AWS EC2 subnet deleted
AWS ECS cluster deleted
AWS EventBridge rule disabled or deleted
AWS GuardDuty detector deleted
AWS GuardDuty publishing destination deleted
AWS GuardDuty threat intel set deleted
AWS IAM activity from EC2 instance
AWS IAM AdministratorAccess policy was applied to a group
AWS IAM AdministratorAccess policy was applied to a role
AWS IAM AdministratorAccess policy was applied to a user
AWS IAM policy changed
AWS IAM privileged policy was applied to a group
AWS IAM privileged policy was applied to a role
AWS IAM privileged policy was applied to a user
AWS Kinesis Firehose stream destination modified
AWS KMS key deleted or scheduled for deletion
AWS Network Access Control List created or modified
AWS Network Gateway created or modified
AWS RDS Cluster deleted
AWS root account activity
AWS Route 53 DNS query logging disabled
AWS Route 53 VPC disassociated from query logging configuration
AWS Route Table created or modified
AWS S3 Bucket ACL made public
AWS S3 Public Access Block removed
AWS security group created, modified or deleted
AWS Security Hub disabled
AWS VPC created or modified
AWS VPC Flow Log Deleted
AWS WAF traffic blocked by specific rule
AWS WAF traffic blocked by specific rule on multiple IPs
AWS WAF web access control list deleted
AWS WAF web access control list modified
CloudTrail global services are enabled
CloudTrail log file validation is enabled
CloudTrail logs are encrypted at rest using KMS CMKs
CloudTrail logs S3 bucket is inaccessible over the public internet
CloudTrail trails are integrated with CloudWatch Logs
Compromised AWS EC2 Instance
Compromised AWS IAM User Access Key
Encrypted administrator password retrieved for Windows EC2 instance
New Amazon EC2 Instance type
New AWS account seen assuming a role into AWS account
New Private Repository Container Image detected in AWS ECR
New Public Repository Container Image detected in AWS ECR
New user seen executing a command in an ECS task
Object-level logging is enabled for S3 bucket read events
Object-level logging is enabled for S3 bucket write events
Possible AWS EC2 privilege escalation via the modification of user data
Possible privilege escalation via AWS IAM CreateLoginProfile
Possible RDS Snapshot Exfiltration
Potential administrative port open to the world via AWS security group
Potential brute force attack on AWS ConsoleLogin
Potential database port open to the world via AWS security group
S3 bucket access logging is enabled on the CloudTrail S3 bucket
Security group open to the world
The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
Tor client IP address identified within AWS environment
User enumerated AWS Secrets Manager - Anomaly
User enumerated AWS Systems Manager parameters - Anomaly
User travel was impossible in AWS CloudTrail IAM log

Docker

>

All Docker swarm overlay networks are encrypted
Auditing for Docker Daemon executable is configured
Auditing for Docker local storage is configured
Auditing for the containerd executable is configured
Auditing for the default Docker configuration file is configured
Auditing for the default Docker configuration file is configured - RHEL
Auditing for the Docker daemon configuration file is configured
Auditing for the docker.service file is configured
Auditing for the docker.socket file is configured
Auditing for the runc executable is configured
Auditing is configured for Docker-related files
Authorization for Docker client commands is enabled
Base device size set to default value (10 GB)
CA certificates are rotated as appropriate
Centralized and remote logging is configured
Configure applicable cluster role-based access control policies
Configure the LDAP authentication service
Container has memory usage limits configured
Container health is always monitored
Container host has been hardened
Container image includes HealthCheck instructions
Container is restricted from acquiring additional privileges
Container root file system is set to read-only
Container sprawl is avoided
Container's PIDs cgroup limit parameter is set
Containers are restricted from acquiring new privileges
Containers have an AppArmor profile enabled
Containers only run in non-privileged mode
Containers prohibit Docker socket mounting
Containers run using non-root user accounts
Containers use a non-default bridge network.
Containers use only trusted base images
Containers use the cgroup configured in Docker
Content trust for Docker is enabled
COPY is used instead of ADD in Dockerfiles
CPU priorities are set to ensure critical containers remain responsive
Daemon-wide custom seccomp profile is applied if appropriate
Default cgroup usage has been confirmed
Default Docker configuration file can only be altered by owners
Default Docker configuration file can only be altered by owners - RHEL
Default Docker configuration file is owned by the root account and group
Default Docker configuration file is owned by the root account and group - RHEL
Default ulimit is configured appropriately
Default ulimit is overwritten at runtime if needed
Docker commands always make use of the latest version of their image
Docker daemon logging level is set to 'info'
Docker exec commands are used with a non-root user option
Docker exec commands are used without the privileged option
Docker is authorized to make firewall configuration changes
Docker local storage is mounted on a separate disk partition
Docker related files are owned by the root account and group
Docker related files can only be altered by owners
Docker server certificate file permissions are set to read-only or more restrictive
Docker uses a storage driver other than AUFS
Docker version is up to date
Docker's secret management commands are used for managing secrets in a swarm cluster
Dockerfile is free of stored secrets
Dockerfile is void of any update instructions
Enable image vulnerability scanning
Enable signed image enforcement
Enable user namespace support
Enforce the use of client certificate bundles for unprivileged users
Experimental features are disabled in production
Host devices are hidden from containers
Host's IPC namespace is isolated from containers
Host's network namespace is hidden from containers
Host's process namespace is isolated from containers
Image sprawl is avoided
Images are scanned and rebuilt to include security patches
Incoming container traffic is bound to a specific host interface
Linux kernel capabilities are restricted to only those which are required
Live restore is enabled
Management plane traffic is separated from data plane traffic
Mapping of privileged ports within containers is restricted
Minimum number of manager nodes have been created in a swarm
Mount propagation mode is always set to a non-shared option
Network traffic is restricted between containers on the default network bridge
Node certificates are rotated as appropriate
Only necessary packages are installed in the container
Only needed ports are open on the container
Only the owner of the server certificate key file can read its contents
Only the root account and Docker group members can control the Docker daemon
Only the root account and Docker group members can read and write to the Docker socket file
Only the root account and Docker group members have ownership of the Docker socket file
Only the root account and group have ownership of the daemon.json file
Only the root account and group have ownership of the Docker server certificate file
Only the root account and group have ownership of the Docker server certificate key file
Only the root account and group have ownership of the docker.service file
Only the root account and group have ownership of the TLS CA certificate file
Only the root account and group have ownership over the docker.socket file
Only the root account and group have ownership over the registry certificate file
Only the root account has write permissions to the daemon.json file
Only the root account has write permissions to the docker.service file
Only the root account has write permissions to the docker.socket file
Only verified packages are are installed
Private registry uses TLS encryption
Registry certificate file permissions are set to read-only or more restrictive
Restart attempts on container failure is limited to 5 attempts
Seccomp profiles are enabled for filtering incoming system calls
SELinux security options are configured
Sensitive host system directories are not mounted on containers
Set the "Lifetime Minutes" and "Renewal Threshold Minutes" values to '15' or lower and '0' respectively
Set the per-user session limit to a value of '3' or lower
setuid and setgid permissions are removed
sshd is disabled in containers
Swarm manager auto-lock key is rotated periodically
Swarm manager is run in auto-lock mode
Swarm mode is disabled
Swarm services are bound to a specific host interface
TLS authentication is configured for Docker daemon
TLS CA certificate file permissions are set to read-only or more restrictive
Use external certificates
User namespaces isolated between host and containers
Userland Proxy is Disabled
UTS Namespace is only allocated to the Host

EBS

>

EBS snapshot is encrypted
EBS volume is encrypted
EBS volume snapshot is shared with explicitly defined AWS accounts

EC2

>

Access to PostgreSQL Database Server port is restricted
Amazon Machine Image (AMI) is only available to trusted accounts
EC2 instance configured with a non-privileged IAM role
EC2 instance uses IMDSv2
IAM Access Analyzer is enabled for all regions
Inbound CIFS access is restricted
Inbound DNS access is restricted
Inbound FTP access is restricted
Inbound HTTP access is restricted
Inbound HTTPS access is restricted
Inbound ICMP access is restricted
Inbound MongoDB access is restricted
Inbound MSSQL access is restricted
Inbound MySQL access is restricted
Inbound OpenSearch access is restricted
Inbound Oracle access is restricted
Inbound RPC access is restricted
Inbound SMTP access is restricted
Inbound SSH access is restricted
Inbound TCP NetBIOS access is restricted
Inbound Telnet access is restricted
Inbound UDP NetBIOS access is restricted
Outbound access on all ports is restricted
Publicly accessible EC2 instance doesn't have open administrative ports
Publicly Accessible EC2 instances are configured with least-privileged IAM roles
Security groups restrict ingress traffic to remote admin ports to specified IPv4 addresses
Security groups restrict ingress traffic to remote admin ports to specified IPv6 addresses
VPC default security groups restrict all traffic

Elasticache

>

ElastiCache cluster is provisioned in a VPC
ElastiCache cluster is using non-default ports
ElastiCache cluster is using the latest engine version

Elasticsearch

>

Elasticsearch cluster is using the latest engine version
Elasticsearch domain is inacessible over the public internet
Elasticsearch domain resides in a VPC
Elasticsearch domains are encrypted
Elasticsearch domains are encrypted with KMS Customer Master Keys

ELB

>

AWS ELB HTTP requests from security scanner
Classic Load Balancer listener is securely configured
ELB is generating access logs

Elbv2

>

ELBv2 ALB is using a secure listener
ELBv2 is generating access logs
ELBv2 load balancer is using the latest security policy

Fastly

>

Fastly HTTP Requests from Security Scanner

File Integrity Monitoring

>

Credentials file modified
Critical system binary modified
Cron job modified
Kernel module directory modified
Name Service Switch configuration modified
SELinux enforcement disabled
SSH authorized keys modified
SSL certificate tampering
System authentication files modified
Systemd service modified

GCP

>

Access denied for Google Cloud Service Account
Anomalous number of Google Cloud Compute GPU virtual machines created
Anomalous number of Google Cloud Storage Buckets Accessed
Anomalous number of Google Cloud Storage Objects Accessed
Anomalous number of Google Compute Engine instances created in multiple zones by user
Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
Google App Engine service account used outside of Google Cloud
Google Cloud BigQuery - query results saved to cloud storage
Google Cloud BigQuery - query results saved to new table
Google Cloud BigQuery results saved to cloud storage by a previously unseen user
Google Cloud Compute Engine GPU virtual machine instance created
Google Cloud GCE instance startup script added or modified
Google Cloud IAM policy modified
Google Cloud IAM role created
Google Cloud IAM Role updated
Google Cloud Logging Bucket deleted
Google Cloud logging sink modified
Google Cloud Project external principal added as project owner
Google Cloud Pub/Sub Subscriber modified
Google Cloud Pub/Sub topic deleted
Google Cloud Service Account accessing anomalous number of Google Cloud APIs
Google Cloud Service Account created
Google Cloud Service Account Impersonation activity using access token generation
Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
Google Cloud Service Account key created
Google Cloud SQL database modified
Google Cloud SQL instance data exported to cloud storage
Google Cloud SQL instance data exported to cloud storage by a previously unseen user
Google Cloud Storage Bucket contents downloaded without authentication
Google Cloud Storage Bucket enumerated
Google Cloud Storage Bucket modified
Google Cloud Storage Bucket permissions modified
Google Cloud unauthorized service account activity
Google Cloud unauthorized user activity
Google Compute Engine firewall egress rule opened to the world
Google Compute Engine firewall rule modified
Google Compute Engine image created
Google Compute Engine instance metadata SSH key added or modified
Google Compute Engine instances created in multiple zones by user
Google Compute Engine network created
Google Compute Engine network route created or modified
Google Compute Engine project metadata SSH key added or modified
Google Compute Engine service account used outside of Google Cloud
Potential Google Cloud cryptomining attack from Tor IP
Tor client IP address identified within Google Cloud environment

Google Bigquery Dataset

>

A default customer-managed encryption key (CMEK) is specified for the BigQuery data set

Google Bigquery Table

>

All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)

Google Cloud Asset Inventory

>

Cloud Asset Inventory is enabled

Google Cloud SQL Instance

>

SQL database instances are configured private IP addresses

Google Compute Disk

>

VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)

Google Compute Firewall

>

RDP access is restricted from the internet
SSH access is restricted from the internet

Google Compute Instance

>

Block project-wide SSH keys is enabled for VM instances
Compute instances are configured with private IP addresses
Compute Instances are launched with Shielded VM enabled
Compute instances have confidential computing enabled
Instance is configured to use a non-default service accounts
Instances are configured to use a non-default service account with access to cloud APIs
Instances have IP forwarding disabled
OS Login is enabled for the project
Serial port connection is disabled for VM instance

Google Compute Network

>

Legacy networks do not exist for older projects
Project only uses non-default VPC networks

Google Compute Ssl Policy

>

HTTPS proxy load balancers only permit SSL policies with strong cipher suites
SSL proxy load balancers only permit SSL policies with strong cipher suites

Google Compute Subnetwork

>

VPC Flow Logs are enabled for all subnets in the VPC network

Google Dataproc Cluster

>

Dataproc cluster is encrypted using customer-managed encryption key

Google DNS Managed Zone

>

Cloud DNS DNSSEC uses a key-signing key with a secure algorithm other than RSASHA1
Cloud DNS DNSSEC uses a zone-signing key with a secure algorithm other than RSASHA1
DNSSEC is enabled for Cloud DNS

Google DNS Policy

>

Cloud DNS logging is enabled for VPC networks

Google Iam Policy

>

Audit logging is properly configured across all services and users in a project
Cloud Storage bucket access is restricted to authorized users
Separation of duties is enforced while assigning KMS-related roles to users

Google Kms Crypto Key

>

KMS Encryption Keys are rotated within a period of 90 days

Google Logging Log Bucket

>

Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets

Google Logging Log Metric

>

A log metric filter and alert exists for audit configuration changes
A log metric filter and alert exists for Cloud Storage IAM permission changes
A log metric filter and alert exists for SQL instance configuration changes
A log metric filter and alert exists for VPC network changes
A log metric filter and alerts exist for custom role changes
A log metric filter and alerts exist for project ownership assignments/changes
A log metric filter and alerts exist for VPC network firewall rule changes
A log metric filter and alerts exist for VPC Network route changes

Google Logging Log Sink

>

Log sinks are configured for all log entries

Google Service Account

>

Cloud KMS cryptokeys access is restricted to authenticated and authorized principals/identities
IAM users are assigned the 'Service Account User' or 'Service Account Token Creator' roles at the Service Account level
Only GCP-managed service account keys are used for service account
Separation of duties is enforced while assigning service account related roles to users
Service Accounts are only bound to non-administrative roles
User-managed or external keys for service accounts are rotated every 90 days or less

Google SQL Database Instance

>

'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance
'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance
'contained database authentication' database flag is set to 'off' for SQL Server Instance
'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance
'external scripts enabled' database flag is set to 'off' for SQL Server Instance
'local_infile' database flag is set to 'off' for MySQL Instance
'log_connections' database flag is set to 'on' for PostgreSQL Instance
'log_disconnections' database flag is set to 'on' for PostgreSQL Instance
'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance
'log_hostname' database flag is set to 'on' for PostgreSQL Instance
'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance
'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance
'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance
'log_statement' database flag is set appropriately for PostgreSQL Instance
'remote access' database flag is set to 'off' for SQL Server Instance
'skip_show_database' flag is set to 'on' for MySQL Instance
'user connections' database flag is set to a non-limiting value for SQL Server Instance
Automated backups are configured for SQL Database Instances
SQL database instance uses SSL for all incoming connections
SQL Database Instances only allow ingress traffic from specific IP addresses
SQL Server Instance 'user options' database flag is disabled

Google Storage Bucket

>

Cloud storage buckets have uniform bucket-level access enabled

Google.Workspace.Alert.Center

>

Google Workspace Alert Center

Gsuite

>

Domain added to Google Workspace allowlisted domains
Google Workspace accessed by Google
Google Workspace admin role created
Google Workspace administrator has disabled 2-step verification for organizational unit
Google Workspace administrator initiated a data transfer request
Google Workspace Tor client detected
Google Workspace user assigned to
Google Workspace user disabled 2-step verification
Google Workspace user edited account recovery information
Google Workspace user forwarding email out of non Google Workspace domain
Google Workspace user has unenrolled from Advanced Protection
Large amount of downloads on Google Drive
User attempted login with leaked password

Guardduty

>

AWS GuardDuty finding

IAM

>

A support role is set up to manage incidents with AWS Support
Access keys are created after initial set up for IAM users
Access keys are rotated every 90 days or less
All the expired SSL/TLS certificates stored in AWS IAM are removed
AWS IAM Role does not allow untrusted GitHub Actions to assume it
Hardware MFA is enabled for the 'root' user account
IAM access keys older than 1 year have been inactive over the past 30 days
IAM password policy has 14 or more characters
IAM password policy prevents password reuse
IAM policies are assigned and managed at the group level
IAM policies are set to provide only necessary and specific administrative privileges
IAM policy is set to expire passwords within 90 days or less
IAM policy is set to require at least one lowercase letter
IAM policy is set to require at least one number
IAM policy is set to require at least one symbol
IAM policy is set to require uppercase characters
IAM privileged user does not have admin permissions to your AWS account
IAM role trust policy does not contain a wildcard principal
IAM server certificate will expire within 30 days
MFA is enabled for the "root" account
Multi-factor authentication is enabled for all IAM users with a console password
Only non-root account access keys exist in the account
Only one active access key is available for any single IAM user

IIS

>

IIS HTTP requests from security scanner

Jumpcloud

>

Credential stuffing attack on Jumpcloud
Jumpcloud admin granted system privileges
Jumpcloud admin login without MFA
Jumpcloud admin triggered impossible travel scenario
Jumpcloud administrator role assigned
Jumpcloud policy created
Jumpcloud policy modified

KMS

>

Rotation for customer created symmetric CMKs is enabled

Kubernetes

>

--anonymous-auth argument is set to false
--event-qps argument is set to 0 or a level which ensures appropriate event capture
--hostname-override argument is disabled
--terminated-pod-gc-threshold argument is set as appropriate
A Kubernetes user attempted to perform a high number of actions that were denied
A Kubernetes user was assigned cluster administrator permissions
A minimal audit policy exists
A new Kubernetes admission controller was created
A unique Certificate Authority is used for etcd
Admission control plugin AlwaysPullImages is set
Admission control plugin EventRateLimit is set
Admission control plugin SecurityContextDeny is set if PodSecurityPolicy is disabled
Admission controller AlwaysAdmin is disabled
Admission controller NamespaceLifecycle is enabled
Admission controller NodeRestriction is enabled
Admission controller PodSecurityPolicy is enabled
Admission controller ServiceAccount is enabled
All namespaces have network policies defined
Allow Kubelets to manage changes to the iptables
Anonymous Request Authorized
API server anonymous-auth argument is set to false
API server audit log files are retained for at least 10 log file rotations
API server audit log files are rotated once the file reaches 100 MB or more
API server audit logs are enabled
API server audit logs are retained for at least 30 days
API server only allows explicitly authorized requests
API server only binds the API service to secure, known ports
API server only binds to secure API service addresses
API Server only makes use of Strong Cryptographic Ciphers
API server pod specification file can only be altered by owners
API server profiling is disabled
API server request timeout exceeds 60 seconds only if required
API Server requires HTTPS connections
API server secure port is enabled
API server uses a service account public key file for service accounts
API server uses secure authentication methods
API server uses TLS certificate client authentication
API server validates the service account token exists in etcd
API server verifies the kubelet's certificate before establishing connection
Apply security context to your pods and containers
Audit policy covers key security concerns
Basic authentication is disabled for the API server
Certificate authorities file can only be altered by owners
Certificate-based kubelet authentication is required
Client authentication is enabled for etcd
Client certificate authorities file is owned by root
Cluster-admin role is only used where required
CNI in use supports network policies
Configure image provenance using ImagePolicyWebhook admission controller
Consider external secret storage
Container Network Interface file ownership is set to root:root
Container Network Interface file permissions are set to 644 or more restrictive
Containers are configured to block privilege escalation
Controller Manager API service is bound to localhost
Controller manager has a service account private key file set
Controller manager pod specification file can only be altered by owners
Controller manager pod specification file is owned by root
Controller Manager profiling is disabled
controller-manager.conf file can only be altered by owners
Create administrative boundaries between resources using namespaces
Default Kubelet kernel parameter values are protected
Each controller uses individual service account credentials
Enable kubelet server certificate rotation on controller-manager
Encryption providers are appropriately configured
Etcd data directory is owned by the etcd user and group
Etcd data directory permissions can only be altered by owners
etcd is configured for peer authentication
etcd is configured with TLS encryption
etcd is encrypted at rest
etcd only allows the use of valid client certificates
Etcd pod specification file can only be altered by owners
Etcd pod specification file is owned by root
etcd server requires API servers present a client certificate and key when connecting
etcd server requires API servers present an SSL CA file when connecting
etcd uses TLS encryption for peer connections
Kube-proxy configuration file can only be altered by owners
Kube-proxy configuration file ownership is assigned to root
Kubelet client certificate rotation is enabled
Kubelet configuration file is owned by root
Kubelet connections use HTTPS
Kubelet nodes are only authorized to read objects they are associated with
Kubelet only allows explicitly authorized requests
Kubelet only makes use of Strong Cryptographic Ciphers
Kubelet read-only port is disabled
Kubelet requires HTTPS connections
Kubelet server certificate rotation is enabled
Kubelet service can only be altered by owners
Kubelet service file is owned by root
Kubelet uses TLS certificate client authentication
Kubernetes PKI certificate file can only be altered by owners
Kubernetes PKI directory is owned by root
Kubernetes PKI key file permissions are set to 600
Kubernetes Pod Created in Kube Namespace
Kubernetes Pod Created with hostNetwork
Kubernetes principal attempted to enumerate their permissions
Kubernetes Service Account Created in Kube Namespace
Kubernetes Service Created with NodePort
Limit admission of containers sharing the host IPC namespace
Limit admission of containers sharing the host PID namespace
Minimize access to create pods
Minimize access to secrets
Minimize the admission of containers wishing to share the host network namespace
Minimize the admission of containers with added capabilities.
Minimize the admission of containers with capabilities assigned
Minimize the admission of containers with the NET_RAW capability
Minimize the admission of privileged containers
Minimize the admission of root containers
Minimize wildcard use in Roles and ClusterRoles
New Kubernetes Namespace Created
New Kubernetes privileged pod created
Only non-default service accounts are in use
Only the root account and group have ownership of the admin.conf file
Only the root account and group have ownership of the API server pod specification file
Only the root account has write permissions to the admin.conf file
Pods utilize `root-ca-file` to pass serving certificates to the API server
Prefer using secrets as files over secrets as environment variables
Prevent use of self-signed certificates for TLS connections between etcd peers
RBAC is enabled for the API server
Resources are created in a non-default namespace
Scheduler API service is bound to localhost
Scheduler configuration file can only be altered by owners
Scheduler configuration file ownership is assigned to root
Scheduler pod specification file can only be altered by owners
Scheduler pod specification file ownership is assigned to root
Scheduler profiling is disabled
seccomp profile is set to docker/default in your pod definitions
Service account tokens are only mounted where necessary
The controller-manager.conf file is owned by root
The kubelet configuration file can only be altered by owners
The kubelet.conf file can only be altered by owners
The kubelet.conf file is owned by root
Timeouts on streaming connections are enabled
User Attached to a Pod
User authentication is implemented using secure methods other than client certificate authentication
User Exec into a Pod

Lambda

>

Lambda function has access to VPC resources
Lambda function is configured with a non-privileged execution role
Lambda function is inaccessible over the public internet
Lambda function uses latest runtime environment version

Microsoft 365

>

A new Microsoft 365 application was installed
A new Microsoft 365 Teams app is observed
Abnormal successful Microsoft 365 Exchange login event
Exchange Online mail forwarding rule enabled
Microsoft 365 Anomalous Amount of Deleted Emails
Microsoft 365 Anomalous Amount of Downloaded files
Microsoft 365 OneDrive Anonymous Link Created
Microsoft 365 SharePoint object shared with guest
Microsoft 365 Unified Audit Logging Disabled
Unusual Authentication by Microsoft 365 Azure AD Service Principal

Multi Log Sources

>

Base64 was detected in an http.user_agent or http.referrer
Credential stuffing attack
Log4j Scanner detected in user agent or referrer
Log4Shell Scanning Detected
Potential cryptomining detected through IP callback
Spring RCE post-exploitation activity attempted
TEMPLATE - Brute Force Attack Grouped By IP
TEMPLATE - Stolen Laptop Connected to Network

Nginx

>

NGINX HTTP requests from security scanner

Nginx Ingress Controller

>

NGINX ingress controller HTTP requests from security scanner

NPM Based Threat Detection

>

BETA Connection to abused top-level domain
BETA Connection to penetration testing domain
BETA Docker daemon publicly accessible
BETA Egress over IRC port
BETA Kubernetes API publicly accessible
BETA Lateral movement via SSH
BETA Redis service publicly accessible
BETA Remote Desktop service publicly accessible
BETA Service exposed using ngrok
BETA SSH service publicly accessible

Okta

>

Malicious authentication attempt detected by Okta ThreatInsight
Multiple Okta push notifications denied
Okta administrator role assigned to user
Okta API Token Created or Enabled
Okta blocked numerous requests from a malicious IP
Okta Impersonation
Okta MFA Bypass Attempted
Okta MFA reset for user
Okta one-time refresh token reused
Okta policy rule deleted
Okta User Access Denied to Sign On
Okta User Attempted to Access Unauthorized App

Onelogin

>

OneLogin administrator assumed a user
OneLogin user granted administrative privileges
OneLogin user locked out
OneLogin user viewed secure note

RDS

>

RDS database instance has the 'Auto Minor Version Upgrade' flag enabled
RDS database instance is configured to use a non-default port
RDS database instance is encrypted
RDS database instance is inaccessible over the public internet
RDS database instance snapshot is inaccessible over the public internet

Redshift

>

Redshift cluster is configured to use a non-default port for communication
Redshift cluster is encrypted
Redshift cluster is inaccessible over the public internet
Redshift cluster is using a custom master username
Redshift cluster is using the EC2-VPC platform
Redshift cluster logging is enabled
Version upgrade is enabled for Redshift cluster

S3

>

'Block Public Access' feature is enabled for S3 bucket
S3 bucket ACL is only viewable by authorized principals
S3 bucket ACL is restricted from public view
S3 bucket ACLs are configured to block public write actions
S3 bucket contents are set to only be accessible by authorized principals via bucket policy
S3 bucket employs default encryption at-rest
S3 bucket has versioning enabled
S3 bucket MFA Delete feature is enabled
S3 bucket objects are restricted from being listed by all authenticated users
S3 bucket objects restrict public listing via ACL
S3 Bucket Policy is set to deny HTTP requests
S3 bucket policy prevents public write access

Salesforce

>

Anomalous amount of Salesforce query results
Anomalous amount of Salesforce records deleted
Credential stuffing attack on Salesforce
Salesforce Brute force attack on user
Salesforce Login from Disabled Account

Signal Sciences

>

Signal Sciences flagged an IP

SNS

>

SNS Topic has access restrictions set for subscription
SNS Topic has restrictions set for publishing
SNS Topic has server-side encryption
SNS Topic is inaccessible over the public internet

Sqreen

>

Security Incident Detected by Sqreen
User Logged into an Application from a New Country

SQS

>

SQS Queue has server-side encryption
SQS Queue is inaccessible over the public internet

Twistlock

>

Container image vulnerability detected
Container violated compliance standards

Vault

>

Vault Root Token

VPC

>

Network ACL inbound traffic is restricted
Network ACL ingress traffic to remote administration ports is restricted to specified IP addresses
Network ACL outbound traffic is restricted
VPC endpoint is inacessible over the public internet
VPC flow logging is enabled in all VPCs

Windows

>

Windows Audit Log Cleared
Windows Directory Service Restore Mode password changed
Windows Domain Admin Group Changed
Windows Firewall Disabled
Windows Net command executed to enumerate administrators
Windows User Added to Domain Admin Group