Default Threat Detection Rules
New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!

Default Threat Detection Rules

Detection rules define conditional logic that is applied to all ingested logs. When at least one case defined in a detection rule is matched over a given period of time, Datadog generates a security signal.

Datadog provides default detection rules to flag attacker techniques and potential misconfigurations so that you immediately improve your security posture. Datadog continuously develops new default detection rules, which are automatically imported into your account.

Filter by Logs Detection to see the Security monitoring rules, and filter by Runtime Agent and Cloud Configuration to see the beta Compliance monitoring rules. To request access to the beta, use this link.

docker
Docker
>
docker Ensure auditing is configured for Docker files and directories - /etc/default/docker
docker Ensure auditing is configured for Docker files and directories - /etc/docker
docker Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
docker Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
docker Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
docker Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
docker Ensure auditing is configured for Docker files and directories - /var/lib/docker
docker Ensure auditing is configured for Docker files and directories - docker.service
docker Ensure auditing is configured for Docker files and directories - docker.socket
docker Ensure auditing is configured for the Docker daemon
docker Ensure aufs storage driver is not used
docker Ensure Docker is allowed to make changes to iptables
docker Ensure insecure registries are not used
docker Ensure network traffic is restricted between containers on the default bridge
docker Ensure only trusted users are allowed to control Docker daemon
docker Ensure privileged ports are not mapped within containers
docker Ensure sensitive host system directories are not mounted on containers
docker Ensure that /etc/docker directory permissions are set to 755 or more restrictively
docker Ensure that a user for the container has been created
docker Ensure that cgroup usage is confirmed
docker Ensure that container health is checked at runtime
docker Ensure that CPU priority is set appropriately on containers
docker Ensure that daemon.json file permissions are set to 644 or more restrictive
docker Ensure that docker.service file permissions are appropriately set
docker Ensure that docker.socket file ownership is set to root:root
docker Ensure that docker.socket file permissions are set to 644 or more restrictive
docker Ensure that HEALTHCHECK instructions have been added to container images
docker Ensure that Linux kernel capabilities are restricted within containers
docker Ensure that privileged containers are not used
docker Ensure that registry certificate file ownership is set to root:root
docker Ensure that registry certificate file permissions are set to 444 or more restrictively
docker Ensure that the 'on-failure' container restart policy is set to '5'
docker Ensure that the /etc/default/docker file ownership is set to root:root
docker Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively
docker Ensure that the /etc/docker directory ownership is set to root:root
docker Ensure that the /etc/sysconfig/docker file ownership is set to root:root
docker Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker Ensure that the container is restricted from acquiring additional privileges
docker Ensure that the container's root filesystem is mounted as read only
docker Ensure that the daemon.json file ownership is set to root:root
docker Ensure that the Docker socket file ownership is set to root:docker
docker Ensure that the Docker socket file permissions are set to 660 or more restrictively
docker Ensure that the Docker socket is not mounted inside any containers
docker Ensure that the docker.service file ownership is set to root:root
docker Ensure that the host's IPC namespace is not shared
docker Ensure that the host's network namespace is not shared
docker Ensure that the host's process namespace is not shared
docker Ensure that the host's user namespaces are not shared
docker Ensure that the host's UTS namespace is not shared
docker Ensure that the memory usage for containers is limited
docker Ensure that the PIDs cgroup limit is used
docker Ensure that, if applicable, an AppArmor Profile is enabled
docker Ensure that, if applicable, SELinux security options are set
docker Ensure the default seccomp profile is not Disabled
kubernetes
Kubernetes
>
kubernetes Ensure that a minimal audit policy is created
kubernetes Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
kubernetes Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes Ensure that the --audit-log-path argument is set
kubernetes Ensure that the --authorization-mode argument includes Node
kubernetes Ensure that the --authorization-mode argument includes RBAC
kubernetes Ensure that the --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes Ensure that the --auto-tls argument is not set to true
kubernetes Ensure that the --basic-auth-file argument is not set
kubernetes Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes Ensure that the --cert-file and --key-file arguments are set as appropriate
kubernetes Ensure that the --client-ca-file argument is set as appropriate (API server)
kubernetes Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
kubernetes Ensure that the --client-cert-auth argument is set to true
kubernetes Ensure that the --encryption-provider-config argument is set as appropriate
kubernetes Ensure that the --etcd-cafile argument is set as appropriate
kubernetes Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes Ensure that the --insecure-bind-address argument is not set
kubernetes Ensure that the --insecure-port argument is set to 0
kubernetes Ensure that the --kubelet-certificate-authority argument is set as appropriate
kubernetes Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes Ensure that the --kubelet-https argument is set to true
kubernetes Ensure that the --make-iptables-util-chains argument is set to true
kubernetes Ensure that the --peer-auto-tls argument is not set to true
kubernetes Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes Ensure that the --peer-client-cert-auth argument is set to true
kubernetes Ensure that the --profiling argument is set to false (API server)
kubernetes Ensure that the --profiling argument is set to false (Controller Manager)
kubernetes Ensure that the --profiling argument is set to false (Scheduler)
kubernetes Ensure that the --protect-kernel-defaults argument is set to true
kubernetes Ensure that the --read-only-port argument is set to 0
kubernetes Ensure that the --request-timeout argument is set as appropriate
kubernetes Ensure that the --root-ca-file argument is set as appropriate
kubernetes Ensure that the --rotate-certificates argument is not set to false
kubernetes Ensure that the --secure-port argument is not set to 0
kubernetes Ensure that the --service-account-key-file argument is set as appropriate
kubernetes Ensure that the --service-account-lookup argument is set to true
kubernetes Ensure that the --service-account-private-key-file argument is set as appropriate
kubernetes Ensure that the --streaming-connection-idle-timeout argument is not set to 0
kubernetes Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes Ensure that the --token-auth-file parameter is not set
kubernetes Ensure that the --use-service-account-credentials argument is set to true
kubernetes Ensure that the admin.conf file ownership is set to root:root
kubernetes Ensure that the admin.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the admission control plugin AlwaysAdmit is not set
kubernetes Ensure that the admission control plugin NamespaceLifecycle is set
kubernetes Ensure that the admission control plugin NodeRestriction is set
kubernetes Ensure that the admission control plugin PodSecurityPolicy is set
kubernetes Ensure that the admission control plugin ServiceAccount is set
kubernetes Ensure that the anonymous-auth argument is set to false
kubernetes Ensure that the API server pod specification file ownership is set to root:root
kubernetes Ensure that the API server pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the certificate authorities file permissions are set to 644 or more restrictive
kubernetes Ensure that the client certificate authorities file ownership is set to root:root
kubernetes Ensure that the controller manager pod specification file ownership is set to root:root
kubernetes Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the controller-manager.conf file ownership is set to root:root
kubernetes Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the etcd data directory ownership is set to etcd:etcd
kubernetes Ensure that the etcd data directory permissions are set to 700 or more restrictive
kubernetes Ensure that the etcd pod specification file ownership is set to root:root
kubernetes Ensure that the etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Ensure that the kubelet configuration file ownership is set to root:root
kubernetes Ensure that the kubelet service file ownership is set to root:root
kubernetes Ensure that the kubelet service file permissions are set to 644 or more restrictive
kubernetes Ensure that the kubelet.conf file ownership is set to root:root
kubernetes Ensure that the kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Ensure that the Kubernetes PKI directory and file ownership is set to root:root
kubernetes Ensure that the proxy kubeconfig file ownership is set to root:root
kubernetes Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Ensure that the scheduler pod specification file ownership is set to root:root
kubernetes Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the scheduler.conf file ownership is set to root:root
kubernetes Ensure that the scheduler.conf file permissions are set to 644 or more restrictive
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes The default namespace should not be used

On this Page