OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration.

Datadog's Security Research team continuously adds new OOTB security detection rules. While the aim is to deliver high-quality detections with the release of integrations or other new features, the performance of these detections at scale often needs to be observed before making the rule generally available. These rules contain a Beta tag. This gives Datadog's Security Research team time to either refine or deprecate detection opportunities that do not meet Datadog's standards.

Click the following buttons to filter the detection rules. Security detection rules are available for Application Security Management, Cloud SIEM (log detection and signal correlation), CSM Misconfigurations (cloud and infrastructure), CSM Threats, CSM Identity Risks, and Attack Paths.

Application Security
>
application-security API scan detected on service
application-security Attack Tool
application-security Bruteforce attack
application-security Cassandra injection vulnerability triggered
application-security Command injection attempt detected
application-security Command injection vulnerability triggered
application-security Commercial vulnerability scanner
application-security CQL injections attempts
application-security Credential Stuffing attack
application-security Distributed Credential Stuffing campaign (attacker fingerprint)
application-security Distributed Credential Stuffing campaign (attempt count)
application-security Distributed Credential Stuffing campaign (user count)
application-security Excessive account deletion from an IP
application-security Excessive payment failures from IP
application-security Excessive resource consumption of third-party API
application-security Excessive sensitive activity from an IP (SDK instrumented)
application-security Excessive sensitive activity from an IP (WAF instrumented)
application-security Feature returning private information abused by IP
application-security Java code injections attempts
application-security JWT authentication bypass attempt
application-security Local File Inclusion (LFI) attack attempts
application-security Log4shell RCE attempts - CVE-2021-44228
application-security Log4shell vulnerability triggered (RCE) - CVE-2021-44228
application-security Mongo injections attempts
application-security OGNL injection attack attempts on routes parsing OGNL
application-security Password reset token bruteforce
application-security Reflected XSS attempts on routes returning HTML
application-security Resource enumeration detected
application-security Security scanner detected
application-security Spring4shell RCE attempts - CVE-2022-22963
application-security SQL injection vulnerability triggered
application-security SQL injections attempts
application-security SSRF attempts on routes executing network queries
application-security SSRF vulnerability triggered
application-security Unauthenticated activity detected
application-security Unauthorized activity detected
application-security Unusual account creations from an IP
application-security Unusual password reset rate activity
application-security User activity detected from outside authorized countries
application-security User activity detected from unauthorized countries
application-security User activity from Tor
application-security User enumeration through password reset
azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD Identity Protection risky user
azure Azure AD Login Without MFA
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD possible MFA fatigue attack
azure Azure AD possible MFA fatigue attack followed by successful login
azure Azure AD Privileged Identity Management member assigned
azure Azure AD sign in from AADinternals default user agent
azure Azure AD sign in from AzureHound default user agent
azure BETA Azure administrative unit created
azure BETA Azure administrative unit modified
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Function has administrative privileges over resources
azure Azure group has access to a large number of resources
azure Azure group has administrative privileges over resources
azure Azure Login Explicitly Denied MFA
azure Azure managed identity has a large permissions gap
azure Azure managed identity has access to a large number of resources
azure Azure managed identity has administrative privileges over resources
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure BETA Azure restricted management administrative unit created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure BETA Azure user added to restricted management administrative unit
azure BETA Azure user granted scoped role assignment over administrative unit
azure Azure user has a large permissions gap
azure Azure user has access to a large number of resources
azure Azure user has administrative privileges over resources
azure Azure user invited an external user
azure Azure user ran command on container instance
azure BETA Azure user removed from restricted administrative unit
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Azure Virtual Machine instance has administrative privileges over resources
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
azure.activity_log
Azure.activity Log
>
azure.activity_log 'Create or Update Network Security Group' activity log alert should be configured
azure.activity_log 'Create or Update Public Ip Address' activity log alert should be configured
azure.activity_log 'Create or Update Security Solutions' activity log alert should be configured
azure.activity_log 'Create or Update SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log 'Create Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Network Security Group' activity log alert should be configured
azure.activity_log 'Delete Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Public Ip Address Rule' activity log alert should be configured
azure.activity_log 'Delete Security Solution' activity log alert should be configured
azure.activity_log 'Delete SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log Account should have a activity log alert configured for 'Create or Update Network Security Group'
azure.activity_log Account should have a activity log alert configured for 'Delete Load Balancer'
azure.activity_log Account should have a activity log alert configured for 'Delete Storage Accounts'
azure.activity_log Account should have a activity log alert configured for creating or updating storage accounts
azure.activity_log Account should have a activity log alert configured for creating or updating virtual machines
azure.activity_log Account should have a activity log alert configured for deallocating virtual machines
azure.activity_log Account should have a configured activity log alert for 'Delete Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete MySQL Database'
azure.activity_log Account should have a configured activity log alert for 'Delete PostgreSQL Database'
azure.activity_log Account should have a configured activity log alert for 'Rename Azure SQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Update Security Policy'
azure.activity_log Account should have a configured activity log alert for deleting Network Security Group
azure.activity_log Account should have a configured activity log alert for deleting policy assignments
azure.activity_log Account should have a configured activity log alert for deleting the SQL Server firewall rule
azure.activity_log Account should have a configured activity log alert for deleting VMs
azure.activity_log Account should have a configured activity log alert for load balancer updates
azure.activity_log Account should have a configured activity log alert for mysql database updates
azure.activity_log Account should have a configured activity log alert for PostgreSQL database updates
azure.activity_log Account should have a configured activity log alert for power off events
azure.activity_log Account should have a configured activity log alert for security solutions creation or updates
azure.activity_log Account should have a configured activity log alert for sql database updates
azure.activity_log The account should have a configured activity log alert for firewall rule creation or update
azure.activity_log The user should configure an activity log alert for SQL Database deletion
azure.activity_log User should have a 'Create Policy Assignment' activity log alert configured
azure.activity_log User should have a 'Delete Security Solution' activity log alert configured
Cloud Workload Security
>
cloud workload security AppArmor profile modified
cloud workload security Auditd configuration modified
cloud workload security Cloud credentials accessed by network utility
cloud workload security Compiler executed in container
cloud workload security Compiler wrote suspicious file
cloud workload security Container accessed using kubectl in another container
cloud workload security Container breakout attempt using Docker socket
cloud workload security Container breakout using runc file descriptors
cloud workload security Container management utility in container
cloud workload security Crypto miner environment variables observed
cloud workload security Crypto miner process observed
cloud workload security Cryptocurrency miner attempted to boost CPU performance
cloud workload security Database process spawned shell
cloud workload security Dirty Pipe exploitation attempted
cloud workload security DNS lookup for cryptocurrency mining pool
cloud workload security DNS lookup for IP lookup service
cloud workload security DNS lookup for paste service
cloud workload security Dynamic linker hijacking attempt
cloud workload security Evidence hidden by deleting system log file
cloud workload security Executable bit added to newly created file
cloud workload security Exfiltration attempt via network utility
cloud workload security File created and executed inside container
cloud workload security Hash of known malware detected
cloud workload security Interactive shell spawned in container
cloud workload security Kubernetes DNS enumeration
cloud workload security Kubernetes service account token created in container
cloud workload security Local account password modified
cloud workload security Looney Tunables (CVE-2023-4911) exploited for privilege escalation
cloud workload security Memfd object created
cloud workload security Network scanning utility executed
cloud workload security Network utility executed
cloud workload security Network utility executed in container
cloud workload security Network utility executed with suspicious URI
cloud workload security Offensive Kubernetes tool executed
cloud workload security Package installed in container
cloud workload security Post compromise shell detected
cloud workload security Potential rootkit compiled and then loaded
cloud workload security Process hidden using mount
cloud workload security Process injected into another process
cloud workload security PTRACE_TRACEME used to prevent process debugging
cloud workload security Pwnkit privilege escalation attempt
cloud workload security Python executed with suspicious arguments
cloud workload security RC scripts modified
cloud workload security Recently written or modified suid file has been executed
cloud workload security Redis sandbox escape (CVE-2022-0543)
cloud workload security Redis server wrote suspicious module file
cloud workload security Resource enumerated using kubectl in container
cloud workload security Resource provisioned using kubectl in container
cloud workload security Runc binary modified
cloud workload security Sensitive namespace modified using kubectl
cloud workload security Shell command history modified
cloud workload security Shell process created by Java application
cloud workload security Sudoers policy file modified
cloud workload security Unfamiliar kernel module loaded
cloud workload security Unfamiliar kernel module loaded from memory
cloud workload security Unfamiliar process accessed AWS EKS service account token
cloud workload security Unfamiliar process accessed Kubernetes pod service account token
cloud workload security Unfamiliar process created by web application
cloud workload security User created interactively
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Additional AWS regions enabled
cloudtrail Amazon Bedrock activity InvokeModel multiple regions using a long-term access key
cloudtrail Amazon Bedrock console activity using a long-term access key
cloudtrail Amazon EC2 AMI exfiltration attempt by IAM user
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail Amazon SNS enumeration attempt by previously unseen user
cloudtrail Amazon SNS enumeration in multiple regions using a long-term access key
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous number of secrets retrieved from AWS Secrets Manager
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail Attempt to create Xlarge EC2 instances in multiple AWS regions
cloudtrail AWS access key creation by previously unseen identity
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudTrail trail should have global service events enabled
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS ECS CreateCluster API calls in multiple regions
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity by S3 browser utility
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy modified
cloudtrail AWS IAM Roles Anywhere trust anchor created
cloudtrail AWS IAM User created with AdministratorAccess policy attached
cloudtrail AWS Java_Ghost security group creation attempt
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS principal added to multiple EKS clusters
cloudtrail AWS principal assigned administrative privileges in an EKS cluster
cloudtrail AWS principal granted access to a EKS cluster then removed
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS SES add verified identity followed by the deletion of the identity
cloudtrail AWS SES discovery attempt by long term access key
cloudtrail AWS SES email sending enabled in current AWS region
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail log file validation should be enabled
cloudtrail CloudTrail logs S3 bucket should not be public accessible
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
cloudtrail Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging should be enabled for S3 bucket read events
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS login profile manipulation
cloudtrail Possible RDS Snapshot exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
cloudtrail S3 bucket write events should have object-level logging enabled
cloudtrail Security group open to the world
cloudtrail Temporary AWS security credentials generated for user
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
cloudtrail Tor client IP address identified within AWS environment
cloudtrail TruffleHog user agent observed in AWS
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
cloudtrail Unfamiliar IAM user retrieved SSM parameter
cloudtrail Unusual AWS enumeration event from EC2 instance
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log
crowdstrike
Crowdstrike
>
docker
Docker
>
docker /usr/bin/containerd should be audited if applicable
docker /var/lib/docker should be audited
docker Container images should include HEALTHCHECK instructions
docker Container runtime should include the --pids-limit flag for cgroup limit parameter
docker Containers on the default network bridge should restrict network traffic
docker Containers should have an enabled AppArmor profile
docker Containers should have memory usage limits configured on Docker hosts
docker Containers should not mount the Docker socket docker.sock inside them
docker Containers should not run in privileged mode
docker Containers should not share the host's user namespaces
docker Containers should run as a non-root user
docker Containers should use the cgroup configured in Docker
docker Docker daemon activities should be audited
docker Docker-related files should be audited in /etc/docker
docker Incoming system calls should be filtered using enabled Seccomp profiles
docker Kernel capabilities in Linux should only be granted when necessary
docker Private registry should use TLS encryption for a secure Docker environment
docker Privileged port mapping for containers should be restricted to increase security
docker Processes in containers should have isolated Process ID (PID) namespaces
docker SELinux security options should be properly configured for effective application security
docker Sensitive host system directories should not be mounted on containers
docker The /etc/default/docker file ownership should be set to root
docker The /etc/default/docker file permissions should be set to 644 or stricter
docker The /etc/docker directory permissions should be set to 755 or stricter
docker The /etc/docker directory should be owned by root account
docker The /etc/sysconfig/docker file permissions should be set to 644 or stricter
docker The /etc/sysconfig/docker file should be owned by the root account and group
docker The /usr/sbin/runc executable should be audited, if applicable
docker The container should have a restart policy limited to 5 attempts
docker The container should restrict acquiring additional privileges via suid or sgid bits
docker The container's health should be constantly monitored
docker The container's root filesystem should be set to read-only
docker The critical containers should be configured to remain responsive
docker The daemon.json file should have permissions set to 644 or stricter
docker The daemon.json file should have user and group ownership set to root
docker The default Docker configuration file should be audited on RHEL
docker The default Docker configuration file should be audited, if applicable
docker The Docker daemon configuration file should be audited if applicable
docker The Docker daemon log level should be set to 'info'
docker The Docker daemon should be allowed to configure the firewall rules
docker The Docker daemon should only be controlled by root and Docker group
docker The Docker instance should not use AUFS as its storage driver
docker The Docker local storage partition should be separate from other partitions
docker The Docker server certificate file should be owned by root
docker The Docker server certificate file should have read-only or more restrictive permissions
docker The Docker server certificate key file needs to have permissions of 400
docker The Docker server certificate key file should be owned by root
docker The Docker socket file should be owned by root and Docker group
docker The Docker socket file should have permissions of 660 or stricter
docker The docker.service file ownership and group should be set to root
docker The docker.service file permissions should be set to 644
docker The docker.service file should have auditing configured if applicable
docker The docker.socket file should be audited, if applicable
docker The docker.socket file should be owned by root
docker The file permissions on docker.socket should be set to 644 or stricter
docker The host's network namespace should be hidden from containers
docker The IPC namespace on the host should remain isolated from containers
docker The registry certificate files should be individually and group owned by root
docker The registry certificate files should have read-only or stricter permissions
docker The TLS CA certificate file should be owned by root account
docker The TLS CA certificate file should have read-only or more restrictive permissions
docker The UTS namespace should not be shared with the host
docker TLS authentication should be enabled for Docker daemon to restrict remote access
ec2
EC2
>
ec2 Amazon Machine Image (AMI) should only be available to trusted accounts
ec2 AWS EC2 Transit Gateways should not automatically accept VPC attachment requests
ec2 EC2 instance should not have a highly-privileged IAM role attached to it
ec2 EC2 instances should enforce IMDSv2
ec2 EC2 instances should not be publicly accessible
ec2 EC2 instances should not use multiple ENIs
ec2 EC2 paravirtual instance types should not be used
ec2 EC2 should be configured to use AWS VPC endpoints created for the Amazon EC2 service
ec2 EC2 subnets should not automatically assign public IP addresses
ec2 Inbound CIFS access should be restricted
ec2 Inbound DNS access should be restricted
ec2 Inbound FTP access should be restricted
ec2 Inbound HTTP access should be restricted
ec2 Inbound HTTPS access should be restricted
ec2 Inbound ICMP access to the host should be restricted
ec2 Inbound MongoDB access should be restricted
ec2 Inbound MSSQL access should be restricted
ec2 Inbound MySQL access should be restricted
ec2 Inbound OpenSearch access should be restricted
ec2 Inbound Oracle access should be restricted
ec2 Inbound PostgreSQL access should be restricted
ec2 Inbound RPC access should be restricted
ec2 Inbound SMTP access should be restricted
ec2 Inbound TCP NetBIOS access should be restricted
ec2 Inbound Telnet access should be restricted
ec2 Inbound UDP NetBIOS access should be restricted
ec2 Outbound access on all ports should be restricted
ec2 Publicly accessible AWS EC2 instance is vulnerable to CUPS remote code execution attack chain
ec2 Publicly accessible EC2 contains critical vulnerabilities found in CISA KEV with greater than 15 days exposure time
ec2 Publicly accessible EC2 contains critical vulnerabilities which have exploits available with greater than 30 days exposure time
ec2 Publicly accessible EC2 contains critical vulnerabilities with greater than 30 days exposure time
ec2 Publicly accessible EC2 contains high vulnerabilities with greater than 60 days exposure time
ec2 Publicly accessible EC2 host is running IMDSv1 and has an SSRF vulnerability
ec2 Publicly accessible EC2 instance contains critical vulnerability CVE-2024-3094 (RCE in liblzma and xz versions 5.6.0 and 5.6.1)
ec2 Publicly Accessible EC2 instance has a critical vulnerability
ec2 Publicly accessible EC2 instance has access to an S3 bucket with sensitive data
ec2 Publicly Accessible EC2 instance has privileged role and a critical vulnerability
ec2 Publicly accessible EC2 instance should not have open administrative ports
ec2 Publicly accessible EC2 instance uses IMDSv1
ec2 Publicly accessible EC2 instances should not have highly-privileged IAM roles
ec2 Publicly accessible EC2 with privileged IAM role contains critical vulnerabilities with greater than 30 days exposure time
ec2 Security groups should not allow unrestricted access to ports with high risk
ec2 Security groups should restrict ingress traffic to specified IPv4 addresses
ec2 Security groups should restrict ingress traffic to specified IPv6 addresses
ec2 The default security group should restrict all traffic in a VPC
ec2 Unused Network Access Control Lists should be removed