Default Threat Detection Rules
New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!

Default Threat Detection Rules

Detection rules define conditional logic that is applied to all ingested logs. When at least one case defined in a detection rule is matched over a given period of time, Datadog generates a security signal.

Datadog provides default detection rules to flag attacker techniques and potential misconfigurations so that you immediately improve your security posture. Datadog continuously develops new default detection rules, which are automatically imported into your account.

Filter by Logs Detection to see the Security monitoring rules, and filter by Runtime Agent and Cloud Configuration to see the beta Compliance monitoring rules. To request access to the beta, use this link.

docker
Docker
>
docker 'on-failure' container restart policy is set to '5'
docker /etc/default/docker auditing is configured
docker /etc/default/docker file ownership is set to root:root
docker /etc/default/docker file permissions are set to 644 or more restrictively
docker /etc/docker auditing is configured
docker /etc/docker directory ownership is set to root:root
docker /etc/docker directory permissions are set to 755 or more restrictively
docker /etc/docker/daemon.json auditing is configured
docker /etc/sysconfig/docker auditing is configured
docker /etc/sysconfig/docker file ownership is set to root:root
docker /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker /usr/bin/containerd auditing is configured
docker /usr/sbin/runc auditing is configured
docker /var/lib/docker auditing is configured
docker A separate partition for containers has been created
docker A user for the container has been created
docker An AppArmor Profile is enabled
docker Auditing is configured for the Docker daemon
docker aufs storage driver is not used
docker cgroup usage is confirmed
docker Container health is checked at runtime
docker Container is restricted from acquiring additional privileges
docker Container's root filesystem is mounted as read only
docker CPU priority is set appropriately on containers
docker daemon.json file ownership is set to root:root
docker daemon.json file permissions are set to 644 or more restrictive
docker Default seccomp profile is not Disabled
docker Docker is allowed to make changes to iptables
docker Docker server certificate file ownership is set to root:root
docker Docker server certificate file permissions are set to 444 or more restrictively
docker Docker server certificate key file ownership is set to root:root
docker Docker server certificate key file permissions are set to 400
docker Docker socket file ownership is set to root:docker
docker Docker socket file permissions are set to 660 or more restrictively
docker Docker socket is not mounted inside any containers
docker docker.service auditing is configured
docker docker.service file ownership is set to root:root
docker docker.service file permissions are appropriately set
docker docker.socket auditing is configured
docker docker.socket file ownership is set to root:root
docker docker.socket file permissions are set to 644 or more restrictive
docker HEALTHCHECK instructions have been added to container images
docker Host's IPC namespace is not shared
docker Host's network namespace is not shared
docker Host's process namespace is not shared
docker Host's user namespaces are not shared
docker Host's UTS namespace is not shared
docker Insecure registries are not used
docker Linux kernel capabilities are restricted within containers
docker Logging level is set to 'info'
docker Memory usage for containers is limited
docker Network traffic is restricted between containers on the default bridge
docker Only trusted users are allowed to control Docker daemon
docker PIDs cgroup limit is used
docker Privileged containers are not used
docker Privileged ports are not mapped within containers
docker Registry certificate file ownership is set to root:root
docker Registry certificate file permissions are set to 444 or more restrictively
docker SELinux security options are set
docker Sensitive host system directories are not mounted on containers
docker TLS authentication for Docker daemon is configured
docker TLS CA certificate file ownership is set to root:root
docker TLS CA certificate file permissions are set to 444 or more restrictively
kubernetes
Kubernetes
>
kubernetes --audit-log-maxage argument is set to 30 or as appropriate
kubernetes --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes --audit-log-path argument is set
kubernetes --authorization-mode argument includes Node
kubernetes --authorization-mode argument includes RBAC
kubernetes --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes --auto-tls argument is not set to true
kubernetes --basic-auth-file argument is not set
kubernetes --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes --cert-file and --key-file arguments are set as appropriate
kubernetes --client-ca-file argument is set as appropriate (API server)
kubernetes --client-ca-file argument is set as appropriate (Kubelet)
kubernetes --client-cert-auth argument is set to true
kubernetes --encryption-provider-config argument is set as appropriate
kubernetes --etcd-cafile argument is set as appropriate
kubernetes --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes --insecure-bind-address argument is not set
kubernetes --insecure-port argument is set to 0
kubernetes --kubelet-certificate-authority argument is set as appropriate
kubernetes --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes --kubelet-https argument is set to true
kubernetes --make-iptables-util-chains argument is set to true
kubernetes --peer-auto-tls argument is not set to true
kubernetes --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes --peer-client-cert-auth argument is set to true
kubernetes --profiling argument is set to false (API server)
kubernetes --profiling argument is set to false (Controller Manager)
kubernetes --profiling argument is set to false (Scheduler)
kubernetes --protect-kernel-defaults argument is set to true
kubernetes --read-only-port argument is set to 0
kubernetes --request-timeout argument is set as appropriate
kubernetes --root-ca-file argument is set as appropriate
kubernetes --rotate-certificates argument is not set to false
kubernetes --secure-port argument is not set to 0
kubernetes --service-account-key-file argument is set as appropriate
kubernetes --service-account-lookup argument is set to true
kubernetes --service-account-private-key-file argument is set as appropriate
kubernetes --streaming-connection-idle-timeout argument is not set to 0
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes --token-auth-file parameter is not set
kubernetes --use-service-account-credentials argument is set to true
kubernetes admin.conf file ownership is set to root:root
kubernetes admin.conf file permissions are set to 644 or more restrictive
kubernetes Admission control plugin AlwaysAdmit is not set
kubernetes Admission control plugin NamespaceLifecycle is set
kubernetes Admission control plugin NodeRestriction is set
kubernetes Admission control plugin PodSecurityPolicy is set
kubernetes Admission control plugin ServiceAccount is set
kubernetes Anonymous-auth argument is set to false
kubernetes API server pod specification file ownership is set to root:root
kubernetes API server pod specification file permissions are set to 644 or more restrictive
kubernetes Certificate authorities file permissions are set to 644 or more restrictive
kubernetes Client certificate authorities file ownership is set to root:root
kubernetes Controller manager pod specification file ownership is set to root:root
kubernetes Controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes controller-manager.conf file ownership is set to root:root
kubernetes controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes etcd data directory ownership is set to etcd:etcd
kubernetes etcd data directory permissions are set to 700 or more restrictive
kubernetes etcd pod specification file ownership is set to root:root
kubernetes etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Kubelet configuration file ownership is set to root:root
kubernetes Kubelet service file ownership is set to root:root
kubernetes Kubelet service file permissions are set to 644 or more restrictive
kubernetes kubelet.conf file ownership is set to root:root
kubernetes kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI directory and file ownership is set to root:root
kubernetes Minimal audit policy is created
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes Proxy kubeconfig file ownership is set to root:root
kubernetes Proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Scheduler pod specification file ownership is set to root:root
kubernetes Scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes scheduler.conf file ownership is set to root:root
kubernetes scheduler.conf file permissions are set to 644 or more restrictive
kubernetes The default namespace should not be used

On this Page