OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of Datadog Security. OOTB rules are available for Cloud SIEM, CSM Misconfigurations, which is divided into cloud or infrastructure configuration, CSM Threats, and Application Security Management.

>
A remote time server for Chrony is configured
Add grpquota Option to /home
Add nodev Option to /dev/shm
Add nodev Option to /home
Add nodev Option to /tmp
Add nodev Option to /var
Add nodev Option to /var/log
Add nodev Option to /var/log/audit
Add nodev Option to /var/tmp
Add nodev Option to Removable Media Partitions
Add noexec Option to /dev/shm
Add noexec Option to /tmp
Add noexec Option to /var
Add noexec Option to /var/log
Add noexec Option to /var/log/audit
Add noexec Option to /var/tmp
Add noexec Option to Removable Media Partitions
Add nosuid Option to /dev/shm
Add nosuid Option to /home
Add nosuid Option to /tmp
Add nosuid Option to /var
Add nosuid Option to /var/log
Add nosuid Option to /var/log/audit
Add nosuid Option to /var/tmp
Add nosuid Option to Removable Media Partitions
Add usrquota Option to /home
All AppArmor Profiles are in enforce or complain mode
All GIDs referenced in /etc/passwd must be defined in /etc/group
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
All Interactive User Home Directories Must Be Owned By The Primary User
All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
All Interactive Users Home Directories Must Exist
Audit Configuration Files Must Be Owned By Group root
Audit Configuration Files Must Be Owned By Root
Build and Test AIDE Database
Configure Accepting Router Advertisements on All IPv6 Interfaces
Configure AIDE to Verify the Audit Tools
Configure auditd admin_space_left Action on Low Disk Space
Configure auditd mail_acct Action on Low Disk Space
Configure auditd Max Log File Size
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
Configure auditd Number of Logs Retained
Configure auditd space_left Action on Low Disk Space
Configure auditd to use audispd's syslog plugin
Configure BIND to use System Crypto Policy
Configure Firewalld to Restrict Loopback Traffic
Configure Firewalld to Trust Loopback Traffic
Configure Kerberos to use System Crypto Policy
Configure Kernel Parameter for Accepting Secure Redirects By Default
Configure Libreswan to use System Crypto Policy
Configure ntpd To Run As ntp User
Configure OpenSSL library to use System Crypto Policy
Configure Periodic Execution of AIDE
Configure SELinux Policy
Configure server restrictions for ntpd
Configure SSH to use System Crypto Policy
Configure System Cryptography Policy
Deactivate Wireless Network Interfaces
Direct root Logins Not Allowed
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Disable Accepting ICMP Redirects for All IPv6 Interfaces
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
Disable Apache Qpid (qpidd)
Disable Apport Service
Disable At Service (atd)
Disable Automatic Bug Reporting Tool (abrtd)
Disable Avahi Server Software
Disable core dump backtraces
Disable Core Dumps for All Users
Disable Core Dumps for SUID programs
Disable GNOME3 Automount Opening
Disable GNOME3 Automount running
Disable GNOME3 Automounting
Disable graphical user interface
Disable Host-Based Authentication
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Disable Kernel Parameter for IPv6 Forwarding
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Disable Kernel Support for USB via Bootloader Configuration
Disable Modprobe Loading of USB Storage Driver
Disable Mounting of cramfs
Disable Mounting of freevxfs
Disable Mounting of hfs
Disable Mounting of hfsplus
Disable Mounting of jffs2
Disable Mounting of squashfs
Disable Mounting of udf
Disable Network File System (nfs)
Disable Network Router Discovery Daemon (rdisc)
Disable ntpdate Service (ntpdate)
Disable Odd Job Daemon (oddjobd)
Disable Postfix Network Listening
Disable rpcbind Service
Disable SSH Access via Empty Passwords
Disable SSH Root Login
Disable SSH Support for .rhosts Files
Disable storing core dump
Disable systemd-journal-remote Socket
Disable the Automounter
Disable the CUPS Service
Disable the GNOME3 Login User List
Disable XDMCP in GDM
Do Not Allow SSH Environment Options
Enable auditd Service
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Enable authselect
Enable cron Daemon
Enable cron Service
Enable GNOME3 Login Warning Banner
Enable GNOME3 Screensaver Lock After Idle Period
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Enable NX or XD Support in the BIOS
Enable PAM
Enable Randomized Layout of Virtual Address Space
Enable rsyslog Service
Enable SSH Warning Banner
Enable systemd_timesyncd Service
Enable systemd-journald Service
Enable the NTP Daemon
Enable the NTP Daemon (al2023)
Enable the NTP Service
Enforce usage of pam_wheel for su authentication
Enforce Usage of pam_wheel with Group Parameter for su Authentication
Ensure /dev/shm is configured
Ensure /tmp Located On Separate Partition
Ensure /var/log Located On Separate Partition
Ensure /var/log/audit Located On Separate Partition
Ensure a Table Exists for Nftables
Ensure All Accounts on the System Have Unique Names
Ensure All Accounts on the System Have Unique User IDs
Ensure All Files Are Owned by a Group
Ensure All Files Are Owned by a User
Ensure All Groups on the System Have Unique Group ID
Ensure All Groups on the System Have Unique Group Names
Ensure All SGID Executables Are Authorized
Ensure All SUID Executables Are Authorized
Ensure all users last password change date is in the past
Ensure AppArmor is enabled in the bootloader configuration
Ensure AppArmor is installed
Ensure auditd Collects File Deletion Events by User
Ensure auditd Collects Information on Exporting to Media (successful)
Ensure auditd Collects Information on Kernel Module Loading and Unloading
Ensure auditd Collects Information on the Use of Privileged Commands
Ensure auditd Collects System Administrator Actions
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Ensure Authentication Required for Single User Mode
Ensure Base Chains Exist for Nftables
Ensure gpgcheck Enabled for All yum Package Repositories
Ensure gpgcheck Enabled In Main yum Configuration
Ensure ip6tables Firewall Rules Exist for All Open Ports
Ensure iptables Firewall Rules Exist for All Open Ports
Ensure journald is configured to compress large log files
Ensure journald is configured to send logs to rsyslog
Ensure journald is configured to write log files to persistent disk
Ensure LDAP client is not installed
Ensure Log Files Are Owned By Appropriate Group
Ensure Log Files Are Owned By Appropriate User
Ensure Logs Sent To Remote Host
Ensure Mail Transfer Agent is not Listening on any non-loopback Address
Ensure network interfaces are assigned to appropriate zone
Ensure nftables Default Deny Firewall Policy
Ensure nftables Rules are Permanent
Ensure No Daemons are Unconfined by SELinux
Ensure No World-Writable Files Exist
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
Ensure PAM Displays Last Logon/Access Notification
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
Ensure PAM Enforces Password Requirements - Minimum Different Categories
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
Ensure PAM Enforces Password Requirements - Minimum Length
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
Ensure PAM Enforces Password Requirements - Minimum Special Characters
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
Ensure rsyslog Default File Permissions Configured
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
Ensure rsyslog is Installed
Ensure SELinux is Not Disabled
Ensure SELinux Not Disabled in /etc/default/grub
Ensure SELinux State is Enforcing
Ensure shadow Group is Empty
Ensure Software Patches Installed
Ensure SSH LoginGraceTime is configured
Ensure SSH MaxStartups is configured
Ensure Sudo Logfile Exists - sudo logfile
Ensure System Log Files Have Correct Permissions
Ensure that /etc/at.deny does not exist
Ensure that /etc/cron.deny does not exist
Ensure that chronyd is running under chrony user account
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that Root's Path Does Not Include World or Group-Writable Directories
Ensure that System Accounts Are Locked
Ensure that System Accounts Do Not Run a Shell Upon Login
Ensure the Default Bash Umask is Set Correctly
Ensure the Default C Shell Umask is Set Correctly
Ensure the Default Umask is Set Correctly For Interactive Users
Ensure the Default Umask is Set Correctly in /etc/profile
Ensure the Default Umask is Set Correctly in login.defs
Ensure the Group Used by pam_wheel Module Exists on System and is Empty
Ensure There Are No Accounts With Blank or Null Passwords
Ensure ufw Default Deny Firewall Policy
Ensure ufw Firewall Rules Exist for All Open Ports
Ensure Users Cannot Change GNOME3 Screensaver Settings
Ensure Users Cannot Change GNOME3 Session Idle Settings
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Ensure users' .netrc Files are not group or world accessible
Install AIDE
Install firewalld Package
Install iptables Package
Install iptables-persistent Package
Install libselinux Package
Install nftables Package
Install PAE Kernel on Supported 32-bit x86 Systems
Install pam_pwquality Package
Install sudo Package
Install systemd-journal-remote Package
Install the systemd_timesyncd Service
Install ufw Package
Limit Password Reuse
Limit Password Reuse (ubuntu2204)
Limit Password Reuse: password-auth
Limit Password Reuse: system-auth
Limit Users' SSH Access
Lock Accounts After Failed Password Attempts
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
Make the auditd Configuration Immutable
Modify the System Login Banner
Modify the System Login Banner for Remote Connections
Modify the System Message of the Day Banner
Package "prelink" Must not be Installed
Prevent Login to Accounts With Empty Password
Record Attempts to Alter Logon and Logout Events
Record Attempts to Alter Process and Session Initiation Information
Record Attempts to Alter the localtime File
Record attempts to alter time through adjtimex
Record Attempts to Alter Time Through clock_settime
Record attempts to alter time through settimeofday
Record Attempts to Alter Time Through stime
Record Events that Modify the System's Discretionary Access Controls - chmod
Record Events that Modify the System's Discretionary Access Controls - chown
Record Events that Modify the System's Discretionary Access Controls - fchmod
Record Events that Modify the System's Discretionary Access Controls - fchmodat
Record Events that Modify the System's Discretionary Access Controls - fchown
Record Events that Modify the System's Discretionary Access Controls - fchownat
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
Record Events that Modify the System's Discretionary Access Controls - lchown
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
Record Events that Modify the System's Discretionary Access Controls - removexattr
Record Events that Modify the System's Discretionary Access Controls - setxattr
Record Events that Modify the System's Mandatory Access Controls
Record Events that Modify the System's Network Environment
Record Events that Modify User/Group Information
Remove ftp Package
Remove iptables-persistent Package
Remove NIS Client
Remove Rsh Trust Files
Remove telnet Clients
Remove tftp Daemon
Remove the GDM Package Group
Remove the X Windows Package Group
Remove ufw Package
Require Authentication for Emergency Systemd Target
Require Authentication for Single User Mode
Require Re-Authentication When Using the sudo Command
Restrict Serial Port Root Logins
Restrict Virtual Console Root Logins
Set Account Expiration Following Inactivity
Set Boot Loader Password in grub2
Set configuration for IPv6 loopback traffic
Set configuration for loopback traffic
Set Default firewalld Zone for Incoming Packets
Set Default ip6tables Policy for Incoming Packets
Set Default iptables Policy for Incoming Packets
Set Deny For Failed Password Attempts
Set existing passwords a period of inactivity before they been locked
Set Existing Passwords Maximum Age
Set Existing Passwords Minimum Age
Set Existing Passwords Warning Age
Set GNOME3 Screensaver Inactivity Timeout
Set GNOME3 Screensaver Lock Delay After Activation Period
Set Interactive Session Timeout
Set Interval For Counting Failed Password Attempts
Set Lockout Time for Failed Password Attempts
Set LogLevel to INFO
Set nftables Configuration for Loopback Traffic
Set PAM''s Password Hashing Algorithm
Set PAM''s Password Hashing Algorithm - password-auth
Set Password Hashing Algorithm in /etc/login.defs
Set Password Maximum Age
Set Password Minimum Age
Set Password Minimum Length in login.defs
Set Password Warning Age
Set SSH authentication attempt limit
Set SSH Client Alive Count Max
Set SSH Client Alive Interval
Set SSH Daemon LogLevel to VERBOSE
Set SSH MaxSessions limit
Set the GNOME3 Login Warning Banner Text
Set the UEFI Boot Loader Password
Set UFW Loopback Traffic
Specify a Remote NTP Server
Specify a Remote NTP Server (al2023)
System Audit Logs Must Be Group Owned By Root
System Audit Logs Must Be Owned By Root
System Audit Logs Must Be Owned By Root (al2023)
System Audit Logs Must Have Mode 0640 or Less Permissive
System Audit Logs Must Have Mode 0750 or Less Permissive
The Chrony package is installed
The Chronyd service is enabled
Uninstall avahi Server Package
Uninstall avahi-autoipd Server Package
Uninstall bind Package
Uninstall CUPS Package
Uninstall cyrus-imapd Package
Uninstall DHCP Server Package
Uninstall dnsmasq Package
Uninstall dovecot Package
Uninstall httpd Package
Uninstall mcstrans Package
Uninstall net-snmp Package
Uninstall nfs-kernel-server Package
Uninstall nfs-utils Package
Uninstall nftables package
Uninstall nginx Package
Uninstall openldap-servers Package
Uninstall rpcbind Package
Uninstall rsh Package
Uninstall rsync Package
Uninstall Samba Package
Uninstall setroubleshoot Package
Uninstall squid Package
Uninstall talk Package
Uninstall telnet-server Package
Uninstall tftp-server Package
Uninstall the nis package
Uninstall vsftpd Package
Uninstall xinetd Package
Uninstall ypserv Package
Use Only FIPS 140-2 Validated Ciphers
Use Only FIPS 140-2 Validated MACs
Use Only Strong Ciphers
Use Only Strong Key Exchange algorithms
Use Only Strong MACs
User Initialization Files Must Be Group-Owned By The Primary Group
User Initialization Files Must Be Owned By the Primary User
User Initialization Files Must Not Run World-Writable Programs
Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
Verify /boot/efi/EFI/redhat/user.cfg Permissions
Verify /boot/efi/EFI/redhat/user.cfg User Ownership
Verify /boot/grub/grub.cfg Permissions
Verify /boot/grub/grub.cfg User Ownership
Verify /boot/grub2/grub.cfg Group Ownership
Verify /boot/grub2/user.cfg Group Ownership
Verify /boot/grub2/user.cfg Permissions
Verify /boot/grub2/user.cfg User Ownership
Verify All Account Password Hashes are Shadowed
Verify All Account Password Hashes are Shadowed with SHA512
Verify and Correct File Permissions with RPM
Verify File Hashes with RPM
Verify firewalld Enabled
Verify Group Ownership of Message of the Day Banner
Verify Group Ownership of System Login Banner
Verify Group Ownership of System Login Banner for Remote Connections
Verify Group Who Owns /etc/at.allow file
Verify Group Who Owns /etc/cron.allow file
Verify Group Who Owns Backup group File
Verify Group Who Owns Backup gshadow File
Verify Group Who Owns Backup passwd File
Verify Group Who Owns Backup shadow File
Verify Group Who Owns cron.d
Verify Group Who Owns cron.daily
Verify Group Who Owns cron.hourly
Verify Group Who Owns cron.monthly
Verify Group Who Owns cron.weekly
Verify Group Who Owns Crontab
Verify Group Who Owns group File
Verify Group Who Owns gshadow File
Verify Group Who Owns passwd File
Verify Group Who Owns shadow File
Verify Group Who Owns SSH Server config file
Verify nftables Service is Disabled
Verify nftables Service is Enabled
Verify No .forward Files Exist
Verify No netrc Files Exist
Verify Only Root Has UID 0
Verify Owner on cron.d
Verify Owner on cron.daily
Verify Owner on cron.hourly
Verify Owner on cron.monthly
Verify Owner on cron.weekly
Verify Owner on crontab
Verify Owner on SSH Server config file
Verify ownership of Message of the Day Banner
Verify ownership of System Login Banner
Verify ownership of System Login Banner for Remote Connections
Verify Ownership on SSH Server Private *_key Key Files
Verify Ownership on SSH Server Public *.pub Key Files
Verify permissions of log files
Verify Permissions on /etc/at.allow file
Verify Permissions on /etc/audit/auditd.conf
Verify Permissions on /etc/audit/rules.d/*.rules
Verify Permissions on /etc/cron.allow file
Verify Permissions on Backup group File
Verify Permissions on Backup gshadow File
Verify Permissions on Backup passwd File
Verify Permissions on Backup shadow File
Verify Permissions on cron.d
Verify Permissions on cron.daily
Verify Permissions on cron.hourly
Verify Permissions on cron.monthly
Verify Permissions on cron.weekly
Verify Permissions on crontab
Verify Permissions on group File
Verify Permissions on gshadow File
Verify permissions on Message of the Day Banner
Verify Permissions on passwd File
Verify Permissions on shadow File
Verify Permissions on SSH Server config file
Verify Permissions on SSH Server Private *_key Key Files
Verify Permissions on SSH Server Public *.pub Key Files
Verify permissions on System Login Banner
Verify permissions on System Login Banner for Remote Connections
Verify Root Has A Primary GID 0
Verify that All World-Writable Directories Have Sticky Bits Set
Verify that audit tools are owned by group root
Verify that audit tools are owned by root
Verify that audit tools Have Mode 0755 or less
Verify that Shared Library Files Have Restrictive Permissions
Verify that Shared Library Files Have Root Ownership
Verify that System Executables Have Restrictive Permissions
Verify that System Executables Have Root Ownership
Verify the UEFI Boot Loader grub.cfg Group Ownership
Verify the UEFI Boot Loader grub.cfg Permissions
Verify the UEFI Boot Loader grub.cfg User Ownership
Verify ufw Enabled
Verify User Who Owns /etc/at.allow file
Verify User Who Owns /etc/cron.allow file
Verify User Who Owns Backup group File
Verify User Who Owns Backup gshadow File
Verify User Who Owns Backup passwd File
Verify User Who Owns Backup shadow File
Verify User Who Owns group File
Verify User Who Owns gshadow File
Verify User Who Owns passwd File
Verify User Who Owns shadow File
azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD Identity Protection risky user
azure Azure AD Login Without MFA
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD possible MFA fatigue attack
azure Azure AD possible MFA fatigue attack followed by successful login
azure Azure AD Privileged Identity Management member assigned
azure Azure AD sign in from AADinternals default user agent
azure Azure AD sign in from AzureHound default user agent
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Login Explicitly Denied MFA
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure Azure user invited an external user
azure Azure user ran command on container instance
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
azure.activity_log
Azure.activity Log
>
azure.activity_log Account should have a activity log alert configured for 'Create or Update Network Security Group'
azure.activity_log Account should have a activity log alert configured for 'Delete Load Balancer'
azure.activity_log Account should have a activity log alert configured for 'Delete Storage Accounts'
azure.activity_log Account should have a activity log alert configured for creating or updating storage accounts
azure.activity_log Account should have a activity log alert configured for creating or updating virtual machines
azure.activity_log Account should have a activity log alert configured for deallocating virtual machines
azure.activity_log Account should have a configured activity log alert for 'Delete MySQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete PostgreSQL Database'
azure.activity_log Account should have a configured activity log alert for 'Rename Azure SQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Security Policy'
azure.activity_log Account should have a configured activity log alert for deleting Network Security Group
azure.activity_log Account should have a configured activity log alert for deleting policy assignments
azure.activity_log Account should have a configured activity log alert for deleting the SQL Server firewall rule
azure.activity_log Account should have a configured activity log alert for deleting VMs
azure.activity_log Account should have a configured activity log alert for load balancer updates
azure.activity_log Account should have a configured activity log alert for mysql database updates
azure.activity_log Account should have a configured activity log alert for PostgreSQL database updates
azure.activity_log Account should have a configured activity log alert for power off events
azure.activity_log Account should have a configured activity log alert for security solutions creation or updates
azure.activity_log Account should have a configured activity log alert for sql database updates
azure.activity_log The account should have a configured activity log alert for firewall rule creation or update
azure.activity_log The user should configure an activity log alert for SQL Database deletion
azure.activity_log User should have a 'Create Policy Assignment' activity log alert configured
azure.activity_log User should have a 'Delete Security Solution' activity log alert configured
Cloud Workload Security
>
cloud workload security AppArmor profile modified
cloud workload security Auditd configuration modified
cloud workload security Compiler executed in container
cloud workload security Compiler wrote suspicious file
cloud workload security Container accessed using kubectl in another container
cloud workload security Container management utility in container
cloud workload security Database process spawned shell
cloud workload security Dirty Pipe exploitation attempted
cloud workload security DNS lookup for cryptocurrency mining pool
cloud workload security DNS lookup for IP lookup service
cloud workload security DNS lookup for paste service
cloud workload security Executable bit added to newly created file
cloud workload security Exfiltration attempt via network utility
cloud workload security File created and executed inside container
cloud workload security Interactive shell spawned in container
cloud workload security Java process spawned shell
cloud workload security Kubernetes DNS enumeration
cloud workload security Kubernetes service account token created in container
cloud workload security Local account password modified
cloud workload security Memfd object created
cloud workload security Network scanning utility executed
cloud workload security Network utility accessed risky cloud metadata service
cloud workload security Network utility executed
cloud workload security Network utility executed in container
cloud workload security Network utility executed with suspicious URI
cloud workload security Offensive Kubernetes tool executed
cloud workload security Package installed in container
cloud workload security Process arguments match cryptocurrency miner
cloud workload security Process injected into another process
cloud workload security PTRACE_TRACEME used to prevent process debugging
cloud workload security Pwnkit privilege escalation attempt
cloud workload security Python executed with suspicious arguments
cloud workload security RC scripts modified
cloud workload security Recently written or modified suid file has been executed
cloud workload security Redis sandbox escape (CVE-2022-0543)
cloud workload security Resource enumerated using kubectl in container
cloud workload security Resource provisioned using kubectl in container
cloud workload security Runc binary modified
cloud workload security Sensitive namespace modified using kubectl
cloud workload security Shell command history modified
cloud workload security Sudoers policy file modified
cloud workload security Suspected dynamic linker hijacking attempt
cloud workload security Unfamiliar command spawned from web server
cloud workload security Unfamiliar kernel module loaded
cloud workload security Unfamiliar kernel module loaded from memory
cloud workload security Unfamiliar process accessed AWS EKS service account token
cloud workload security Unfamiliar process accessed Kubernetes pod service account token
cloud workload security User created interactively
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Amazon EC2 AMI exfiltration attempt by IAM user
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail Amazon SNS enumeration attempt by previously unseen user
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous number of secrets retrieved from AWS Secrets Manager
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail AWS access key creation by previously unseen identity
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudTrail trail should have global service events enabled
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity by S3 browser utility
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy modified
cloudtrail AWS IAM Roles Anywhere trust anchor created
cloudtrail AWS IAM User created with AdministratorAccess policy attached
cloudtrail AWS Java_Ghost security group creation attempt
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail log file validation should be enabled
cloudtrail CloudTrail logs S3 bucket should not be public accessible
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging should be enabled for S3 bucket read events
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS login profile manipulation
cloudtrail Possible RDS Snapshot exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
cloudtrail S3 bucket write events should have object-level logging enabled
cloudtrail Security group open to the world
cloudtrail Temporary AWS security credentials generated for user
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
cloudtrail Tor client IP address identified within AWS environment
cloudtrail TruffleHog user agent observed in AWS
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
cloudtrail Unfamiliar IAM user retrieved SSM parameter
cloudtrail Unusual AWS enumeration event from EC2 instance
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log
crowdstrike
Crowdstrike
>
docker
Docker
>
docker All Docker swarm overlay networks are encrypted
docker Auditing for Docker Daemon executable is configured
docker Auditing for Docker local storage is configured
docker Auditing for the containerd executable is configured
docker Auditing for the default Docker configuration file is configured
docker Auditing for the default Docker configuration file is configured - RHEL
docker Auditing for the Docker daemon configuration file is configured
docker Auditing for the docker.service file is configured
docker Auditing for the docker.socket file is configured
docker Auditing for the runc executable is configured
docker Auditing is configured for Docker-related files
docker Authorization for Docker client commands is enabled
docker Base device size set to default value (10 GB)
docker CA certificates are rotated as appropriate
docker Centralized and remote logging is configured
docker Configure applicable cluster role-based access control policies
docker Configure the LDAP authentication service
docker Container has memory usage limits configured
docker Container health is always monitored
docker Container host has been hardened
docker Container image includes HealthCheck instructions
docker Container is restricted from acquiring additional privileges
docker Container root file system is set to read-only
docker Container sprawl is avoided
docker Container's PIDs cgroup limit parameter is set
docker Containers are restricted from acquiring new privileges
docker Containers have an AppArmor profile enabled
docker Containers only run in non-privileged mode
docker Containers prohibit Docker socket mounting
docker Containers run using non-root user accounts
docker Containers use a non-default bridge network.
docker Containers use only trusted base images
docker Containers use the cgroup configured in Docker
docker Content trust for Docker is enabled
docker COPY is used instead of ADD in Dockerfiles
docker CPU priorities are set to ensure critical containers remain responsive
docker Daemon-wide custom seccomp profile is applied if appropriate
docker Default cgroup usage has been confirmed
docker Default Docker configuration file can only be altered by owners
docker Default Docker configuration file can only be altered by owners - RHEL
docker Default Docker configuration file is owned by the root account and group
docker Default Docker configuration file is owned by the root account and group - RHEL
docker Default ulimit is configured appropriately
docker Default ulimit is overwritten at runtime if needed
docker Docker commands always make use of the latest version of their image
docker Docker daemon logging level is set to 'info'
docker Docker exec commands are used with a non-root user option
docker Docker exec commands are used without the privileged option
docker Docker is authorized to make firewall configuration changes
docker Docker local storage is mounted on a separate disk partition
docker Docker related files are owned by the root account and group
docker Docker related files can only be altered by owners
docker Docker server certificate file permissions are set to read-only or more restrictive
docker Docker uses a storage driver other than AUFS
docker Docker version is up to date
docker Docker's secret management commands are used for managing secrets in a swarm cluster
docker Dockerfile is free of stored secrets
docker Dockerfile is void of any update instructions
docker Enable image vulnerability scanning
docker Enable signed image enforcement
docker Enable user namespace support
docker Enforce the use of client certificate bundles for unprivileged users
docker Experimental features are disabled in production
docker Host devices are hidden from containers
docker Host's IPC namespace is isolated from containers
docker Host's network namespace is hidden from containers
docker Host's process namespace is isolated from containers
docker Image sprawl is avoided
docker Images are scanned and rebuilt to include security patches
docker Incoming container traffic is bound to a specific host interface
docker Linux kernel capabilities are restricted to only those which are required
docker Live restore is enabled
docker Management plane traffic is separated from data plane traffic
docker Mapping of privileged ports within containers is restricted
docker Minimum number of manager nodes have been created in a swarm
docker Mount propagation mode is always set to a non-shared option
docker Network traffic is restricted between containers on the default network bridge
docker Node certificates are rotated as appropriate
docker Only necessary packages are installed in the container
docker Only needed ports are open on the container
docker Only the owner of the server certificate key file can read its contents
docker Only the root account and Docker group members can control the Docker daemon
docker Only the root account and Docker group members can read and write to the Docker socket file
docker Only the root account and Docker group members have ownership of the Docker socket file
docker Only the root account and group have ownership of the daemon.json file
docker Only the root account and group have ownership of the Docker server certificate file
docker Only the root account and group have ownership of the Docker server certificate key file
docker Only the root account and group have ownership of the docker.service file
docker Only the root account and group have ownership of the TLS CA certificate file
docker Only the root account and group have ownership over the docker.socket file
docker Only the root account and group have ownership over the registry certificate file
docker Only the root account has write permissions to the daemon.json file
docker Only the root account has write permissions to the docker.service file
docker Only the root account has write permissions to the docker.socket file
docker Only verified packages are are installed
docker Private registry uses TLS encryption
docker Registry certificate file permissions are set to read-only or more restrictive
docker Restart attempts on container failure is limited to 5 attempts
docker Seccomp profiles are enabled for filtering incoming system calls
docker SELinux security options are configured
docker Sensitive host system directories are not mounted on containers
docker Set the "Lifetime Minutes" and "Renewal Threshold Minutes" values to '15' or lower and '0' respectively
docker Set the per-user session limit to a value of '3' or lower
docker setuid and setgid permissions are removed
docker sshd is disabled in containers
docker Swarm manager auto-lock key is rotated periodically
docker Swarm manager is run in auto-lock mode
docker Swarm mode is disabled
docker Swarm services are bound to a specific host interface
docker TLS authentication is configured for Docker daemon
docker TLS CA certificate file permissions are set to read-only or more restrictive
docker Use external certificates
docker User namespaces isolated between host and containers
docker Userland Proxy is Disabled
docker UTS Namespace is only allocated to the Host
ec2
EC2
>
ec2 Amazon Machine Image (AMI) should only be available to trusted accounts
ec2 EC2 instance should not have a highly-privileged IAM role attached to it
ec2 EC2 instance uses a privileged IAM role
ec2 EC2 instances should enforce IMDSv2
ec2 Inbound CIFS access should be restricted
ec2 Inbound DNS access should be restricted
ec2 Inbound FTP access should be restricted
ec2 Inbound HTTP access should be restricted
ec2 Inbound HTTPS access should be restricted
ec2 Inbound ICMP access to the host should be restricted
ec2 Inbound MongoDB access should be restricted
ec2 Inbound MSSQL access should be restricted
ec2 Inbound OpenSearch access should be restricted
ec2 Inbound Oracle access should be restricted
ec2 Inbound RPC access should be restricted
ec2 Inbound SMTP access should be restricted
ec2 Inbound TCP NetBIOS access should be restricted
ec2 Inbound Telnet access should be restricted
ec2 Inbound UDP NetBIOS access should be restricted
ec2 MySQL inbound access should be restricted
ec2 Outbound access on all ports should be restricted
ec2 PostgreSQL inbound access should be restricted
ec2 Publicly accessible EC2 instance connected to known attack domain
ec2 Publicly Accessible EC2 instance has a critical vulnerability
ec2 Publicly accessible EC2 instance performed cryptomining operations
ec2 Publicly accessible EC2 instance performing SSH scanning
ec2 Publicly accessible EC2 instance should not have open administrative ports
ec2 Publicly accessible EC2 instance uses IMDSv1
ec2 Publicly accessible EC2 instances should not have highly-privileged IAM roles
ec2 Security groups should restrict ingress traffic to specified IPv4 addresses
ec2 Security groups should restrict ingress traffic to specified IPv6 addresses
ec2 The default security group should restrict all traffic in a VPC
gcp
GCP
>
gcp Access denied for Google Cloud Service Account
gcp Anomalous number of Google Cloud Compute GPU virtual machines created
gcp Anomalous number of Google Cloud Storage Buckets Accessed
gcp Anomalous number of Google Cloud Storage Objects Accessed
gcp Anomalous number of Google Compute Engine instances created in multiple zones by user
gcp Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
gcp Google App Engine service account used outside of Google Cloud
gcp Google Cloud BigQuery - query results saved to cloud storage
gcp Google Cloud BigQuery - query results saved to new table
gcp Google Cloud BigQuery results saved to cloud storage by a previously unseen user
gcp Google Cloud Compute Engine GPU virtual machine instance created
gcp Google Cloud GCE instance startup script added or modified
gcp Google Cloud IAM policy modified
gcp Google Cloud IAM role created
gcp Google Cloud IAM Role updated
gcp Google Cloud Logging Bucket deleted
gcp Google Cloud logging sink modified
gcp Google Cloud Project external principal added as project owner
gcp Google Cloud Pub/Sub Subscriber modified
gcp Google Cloud Pub/Sub topic deleted
gcp Google Cloud Service Account accessing anomalous number of Google Cloud APIs
gcp Google Cloud Service Account created
gcp Google Cloud Service Account Impersonation activity using access token generation
gcp Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
gcp Google Cloud Service Account key created
gcp Google Cloud SQL database modified
gcp Google Cloud SQL instance data exported to cloud storage
gcp Google Cloud SQL instance data exported to cloud storage by a previously unseen user
gcp Google Cloud Storage Bucket contents downloaded without authentication
gcp Google Cloud Storage Bucket enumerated
gcp Google Cloud Storage Bucket modified
gcp Google Cloud Storage Bucket permissions modified
gcp Google Cloud unauthorized service account activity
gcp Google Cloud unauthorized user activity
gcp Google Compute Engine firewall egress rule opened to the world
gcp Google Compute Engine firewall rule modified
gcp Google Compute Engine image created
gcp Google Compute Engine instance metadata SSH key added or modified
gcp Google Compute Engine instances created in multiple zones by user
gcp Google Compute Engine network created
gcp Google Compute Engine network route created or modified
gcp Google Compute Engine project metadata SSH key added or modified
gcp Google Compute Engine service account used outside of Google Cloud
gcp Potential Google Cloud cryptomining attack from Tor IP
gcp Tor client IP address identified within Google Cloud environment
Google Cloud Asset Inventory
>
Google SQL Database Instance
>
google_sql_database_instance MySQL instance should have the 'skip_show_database' flag set to 'on'
google_sql_database_instance MySQL instances should have the 'local_infile' database flag set to 'off'
google_sql_database_instance PostgreSQL instance should have the 'log_disconnections' database flag enabled
google_sql_database_instance PostgreSQL instances should have the 'cloudsql.enable_pgaudit' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_connections' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_error_verbosity' flag set to 'DEFAULT' or stricter
google_sql_database_instance PostgreSQL instances should have the 'log_hostname' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_min_messages' database flag set to at least 'WARNING'
google_sql_database_instance PostgreSQL instances should have the 'log_statement' database flag set appropriately
google_sql_database_instance PostgreSQL instances should have the `log_min_duration_statement` flag set to '-1' (disabled)
google_sql_database_instance PostgreSQL instances should have the `log_min_error_statement` flag set to 'ERROR' or stricter
google_sql_database_instance SQL database instances should enforce SSL for all incoming connections
google_sql_database_instance SQL database instances should have automated backups enabled
google_sql_database_instance SQL Database instances should only allow ingress traffic from specific IP addresses
google_sql_database_instance SQL Server instances should have the 'contained database authentication' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'cross db ownership chaining' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'external scripts enabled' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'remote access' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'user connections' database flag set to a non-limiting value
google_sql_database_instance SQL Server instances should have the `3625 (trace flag)` database flag set to 'off'
google_sql_database_instance SQL Server instances should have the `user options` database flag disabled
google.security.command.center
Google.security.command.center
>
google.workspace.alert.center
Google.workspace.alert.center
>
iam
IAM
>
iam Access keys should be created after initial setup for IAM users
iam Access keys should be rotated every 90 days or less
iam An IAM privileged user should not have admin permissions in AWS
iam An IAM role should be created to manage incidents with AWS Support
iam AWS EC2 instance can assume a role with administrative privileges
iam AWS EC2 instance can create a login profile for an IAM user with administrative privileges
iam AWS EC2 instance can create access keys for an IAM user with administrative privileges
iam AWS EC2 instance can update a login profile for an IAM user with administrative privileges
iam AWS EC2 instance can update the trust policy for a role with administrative privileges
iam AWS EC2 instance has administrative privileges
iam AWS IAM group can assume a role with administrative privileges
iam AWS IAM group can create a login profile for an IAM user with administrative privileges
iam AWS IAM group can create access keys for an IAM user with administrative privileges
iam AWS IAM group can update a login profile for an IAM user with administrative privileges
iam AWS IAM group can update the trust policy for a role with administrative privileges
iam AWS IAM group has access to a large number of resources
iam AWS IAM group has administrative privileges
iam AWS IAM policy with administrative privileges is not attached to any principal
iam AWS IAM role can assume a role with administrative privileges
iam AWS IAM role can create a login profile for an IAM user with administrative privileges
iam AWS IAM role can create access keys for an IAM user with administrative privileges
iam AWS IAM role can update a login profile for an IAM user with administrative privileges
iam AWS IAM role can update the trust policy for a role with administrative privileges
iam AWS IAM role has a large permissions gap
iam AWS IAM role has a trust relationship with a wildcard principal
iam AWS IAM role has access to a large number of resources
iam AWS IAM role has administrative privileges
iam AWS IAM role has administrative privileges and is inactive
iam AWS IAM role should not allow untrusted GitHub Actions to assume it
iam AWS IAM role with administrative privileges has a trust relationship with a wildcard principal
iam AWS IAM role with administrative privileges has an external cross-account trust relationship
iam AWS IAM role with external cross-account trust relationship does not use an external ID
iam AWS IAM user can assume a role with administrative privileges
iam AWS IAM user can create a login profile for an IAM user with administrative privileges
iam AWS IAM user can create access keys for an IAM user with administrative privileges
iam AWS IAM user can update a login profile for an IAM user with administrative privileges
iam AWS IAM user can update the trust policy for a role with administrative privileges
iam AWS IAM user has a large permissions gap
iam AWS IAM user has access to a large number of resources
iam AWS IAM user has administrative privileges
iam AWS IAM user has administrative privileges and is inactive
iam AWS Lambda function has administrative privileges
iam Credentials should be deactivated or removed if unused for 45 days
iam Expired SSL/TLS certificate stored in AWS IAM should be removed
iam IAM Access Analyzer should be enabled for all regions
iam IAM password policy should prevent the reuse of passwords
iam IAM password policy should require a length of at least 14 characters
iam IAM password policy should require at least one lowercase letter
iam IAM password policy should require at least one number in passwords
iam IAM password policy should require at least one symbol
iam IAM password policy should require uppercase characters
iam IAM policies should be attached and managed at the group level
iam IAM policy provides full administrator access
iam IAM policy should provide only necessary and specific privileges
iam IAM role trust policy should not contain a wildcard principal
iam IAM server certificate should be renewed 30 days before expiration
iam Inactive IAM access keys older than 1 year should be removed
iam Long-lived AWS IAM access key has not been used in the last 30 days
iam MFA should be enabled for the "root" user account
iam Misconfigured AWS IAM role can be assumed by any external GitHub action
iam Multi-factor authentication should be enabled for all IAM users with console access
iam No MFA enabled for AWS root user account
iam Root account access keys should be removed
iam Root account credentials should be inactive for the previous 30 days
iam The "root" user account should have hardware MFA enabled
iam There should only be one active access key per IAM user
iam Vulnerable IAM role can be assumed by any user