---
title: Investigate Agent Events
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Workload Protection > Investigate Agent Events
---

# Investigate Agent Events

This topic explains how to use the Agent Events explorer to query and review the Datadog Agent threat detection events generated by the [out-of-the-box (OOTB) detection rules](https://docs.datadoghq.com/security/default_rules/#cat-cloud-security-management).

The Datadog Agent evaluates system activity on the Agent host. When activity matches an Agent rule expression, the Agent generates a detection event and passes it to the Datadog backend.

If an event matches an Agent detection rule *and* a backend Threat detection rule, a signal is created and displayed in [Signals](https://docs.datadoghq.com/security/workload_protection/security_signals) (`Agent detection rule + backend Threat detection rule = Signal`).

With the [Agent Events explorer](https://app.datadoghq.com/security/agent-events), you can investigate Agent Events separately from signals. You can review the host path where the event happened, and view the event's attributes, metrics, and processes. You can also review the Agent rule that generated the event and view triage and response instructions.

## Proactively block threats with Active Protection{% #proactively-block-threats-with-active-protection %}

By default, all OOTB Agent crypto mining threat detection rules are enabled and actively monitoring for threats.

[Active Protection](https://docs.datadoghq.com/security/workload_protection/guide/active-protection) enables you to proactively block and terminate crypto mining threats identified by the Datadog Agent threat detection rules.

## View Agent events{% #view-agent-events %}

To view Agent events, go to the [Agent Events explorer](https://app.datadoghq.com/security/agent-events).

Agent events are queried and displayed using the standard explorer controls in the Datadog [Events explorer](https://docs.datadoghq.com/events/explorer/).

## Investigate Agent events{% #investigate-agent-events %}

To investigate why an event is listed on the [Agent Events explorer](https://app.datadoghq.com/security/agent-events), select an event.

The event details include the attributes, [metrics](https://docs.datadoghq.com/metrics/), and [processes](https://docs.datadoghq.com/infrastructure/process/). **Metrics** links to the host dashboard and **Processes** links to the host [process dashboard](https://app.datadoghq.com/process) and process agent installation steps.

In **Path**, the latest process tree is displayed. This gives you the best overview of what occurred by showing you all of the commands that led to the command that initiated the event.

**Path** is often the best place to start your investigation of an event.

## Triage Agent events{% #triage-agent-events %}

To triage an event:

1. Select the event in the **AGENT RULE** column in the [Agent Events explorer](https://app.datadoghq.com/security/agent-events).
1. Select **Click to copy**.
1. Open the [OOTB rules documention](https://docs.datadoghq.com/security/default_rules/#cat-cloud-security-management).
1. In the search field, paste the copied rule name.
1. Select the rule from the results.
1. Review the rule **Goal**, **Strategy**, and follow the steps in **Triage and response**.