Default Threat Detection Rules
New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!

Default Threat Detection Rules

Detection rules define conditional logic that is applied to all ingested logs. When at least one case defined in a detection rule is matched over a given period of time, Datadog generates a security signal.

Datadog provides default detection rules to flag attacker techniques and potential misconfigurations so that you immediately improve your security posture. Datadog continuously develops new default detection rules, which are automatically imported into your account.

Filter by Logs Detection to see the Security monitoring rules, and filter by Runtime Agent and Cloud Configuration to see the beta Compliance monitoring rules. To request access to the beta, use this link.

All CLOUD CONFIGURATIONLOGS DETECTIONRUNTIME AGENT
apache
Apache
>
apache Apache HTTP Requests from Security Scanner
auth0
Auth0
>
auth0 Auth0 User Authenticating from Multiple Countries
auth0 Auth0 User Logged in with a Breached Password
auth0 Brute Force Attack on an Auth0 User
auth0 Credential Stuffing Attack on Auth0
Cloudfront
>
CloudFront FieldLevel Encryption Not Enabled
 CloudFront Insecure Viewer Protocol Policy
 CloudFront Integrated With WAF
 CloudFront Logging Disabled
 CloudFront Security Policy: Insecure Minimum Protocol Version
 CloudFront Traffic To Origin Unencrypted
cloudtrail
Cloudtrail
>
cloudtrail AWS CloudTrail Configuration Modified
cloudtrail AWS CMK Deleted or Scheduled for Deletion
cloudtrail AWS Config Modified
cloudtrail AWS Console Brute Force Login
cloudtrail AWS Console Login Without MFA
cloudtrail AWS Console Root Login Without MFA
cloudtrail AWS EBS Default Encryption Disabled
cloudtrail AWS EC2 Subnet Deleted
cloudtrail AWS ECS Cluster Deleted
cloudtrail AWS EventBridge Rule Disabled or Deleted
cloudtrail AWS FlowLogs Removed
cloudtrail AWS GuardDuty Detector Deleted
cloudtrail AWS IAM Policy Changed
cloudtrail AWS Network Access Control List Created or Modified
cloudtrail AWS Network Gateway Created or Modified
cloudtrail AWS RDS Cluster Deleted
cloudtrail AWS Root Account Activity
cloudtrail AWS Route Table Created or Modified
cloudtrail AWS S3 Bucket Policy Modified
cloudtrail AWS S3 Buckets Enumerated
cloudtrail AWS S3 Public Access Block Removed
cloudtrail AWS Security Group Created or Modified
cloudtrail AWS Unauthorized Activity
cloudtrail AWS VPC Created or Modified
cloudtrail CloudTrail Global Services Disabled
cloudtrail CloudTrail Log File Integrity Validation Disabled
cloudtrail CloudTrail Logs Not Encrypted
cloudtrail CloudTrail Multi-Region is not Enabled
cloudtrail Ensure CloudTrail log file validation is enabled
cloudtrail Ensure CloudTrail logs are encrypted at rest using KMS CMKs
docker
Docker
>
docker Ensure auditing is configured for Docker files and directories - /etc/default/docker
docker Ensure auditing is configured for Docker files and directories - /etc/docker
docker Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
docker Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker
docker Ensure auditing is configured for Docker files and directories - /usr/bin/containerd
docker Ensure auditing is configured for Docker files and directories - /usr/sbin/runc
docker Ensure auditing is configured for Docker files and directories - /var/lib/docker
docker Ensure auditing is configured for Docker files and directories - docker.service
docker Ensure auditing is configured for Docker files and directories - docker.socket
docker Ensure auditing is configured for the Docker daemon
docker Ensure aufs storage driver is not used
docker Ensure Docker is allowed to make changes to iptables
docker Ensure insecure registries are not used
docker Ensure network traffic is restricted between containers on the default bridge
docker Ensure only trusted users are allowed to control Docker daemon
docker Ensure privileged ports are not mapped within containers
docker Ensure sensitive host system directories are not mounted on containers
docker Ensure that /etc/docker directory permissions are set to 755 or more restrictively
docker Ensure that a user for the container has been created
docker Ensure that cgroup usage is confirmed
docker Ensure that container health is checked at runtime
docker Ensure that CPU priority is set appropriately on containers
docker Ensure that daemon.json file permissions are set to 644 or more restrictive
docker Ensure that docker.service file permissions are appropriately set
docker Ensure that docker.socket file ownership is set to root:root
docker Ensure that docker.socket file permissions are set to 644 or more restrictive
docker Ensure that HEALTHCHECK instructions have been added to container images
docker Ensure that Linux kernel capabilities are restricted within containers
docker Ensure that privileged containers are not used
docker Ensure that registry certificate file ownership is set to root:root
docker Ensure that registry certificate file permissions are set to 444 or more restrictively
docker Ensure that the 'on-failure' container restart policy is set to '5'
docker Ensure that the /etc/default/docker file ownership is set to root:root
docker Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively
docker Ensure that the /etc/docker directory ownership is set to root:root
docker Ensure that the /etc/sysconfig/docker file ownership is set to root:root
docker Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker Ensure that the container is restricted from acquiring additional privileges
docker Ensure that the container's root filesystem is mounted as read only
docker Ensure that the daemon.json file ownership is set to root:root
docker Ensure that the Docker socket file ownership is set to root:docker
docker Ensure that the Docker socket file permissions are set to 660 or more restrictively
docker Ensure that the Docker socket is not mounted inside any containers
docker Ensure that the docker.service file ownership is set to root:root
docker Ensure that the host's IPC namespace is not shared
docker Ensure that the host's network namespace is not shared
docker Ensure that the host's process namespace is not shared
docker Ensure that the host's user namespaces are not shared
docker Ensure that the host's UTS namespace is not shared
docker Ensure that the memory usage for containers is limited
docker Ensure that the PIDs cgroup limit is used
docker Ensure that, if applicable, an AppArmor Profile is enabled
docker Ensure that, if applicable, SELinux security options are set
docker Ensure the default seccomp profile is not Disabled
ec2
EC2
>
ec2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
ec2 Ensure the default security group of every VPC restricts all traffic
ec2 Security Group With Unrestricted Inbound CIFS Access
ec2 Security Group With Unrestricted Inbound DNS Access
ec2 Security Group With Unrestricted Inbound Elasticsearch Access
ec2 Security Group With Unrestricted Inbound FTP Access
ec2 Security Group With Unrestricted Inbound HTTP Access
ec2 Security Group With Unrestricted Inbound HTTPS Access
ec2 Security Group With Unrestricted Inbound ICMP Access
ec2 Security Group With Unrestricted Inbound MongoDB Access
ec2 Security Group With Unrestricted Inbound MSSQL Access
ec2 Security Group With Unrestricted Inbound MySQL Access
ec2 Security Group With Unrestricted Inbound Oracle Access
ec2 Security Group With Unrestricted Inbound PostgreSQL Access
ec2 Security Group With Unrestricted Inbound RPC Access
ec2 Security Group With Unrestricted Inbound SMTP Access
ec2 Security Group With Unrestricted Inbound SSH Access
ec2 Security Group With Unrestricted Inbound TCP NetBIOS Access
ec2 Security Group With Unrestricted Inbound Telnet Access
ec2 Security Group With Unrestricted Inbound UDP NetBIOS Access
ec2 Security Group With Unrestricted Outbound Access on All Ports
elb
ELB
>
elb AWS ELB HTTP Requests from Security Scanner
fastly
Fastly
>
fastly Fastly HTTP Requests from Security Scanner
File Integrity Monitoring
>
A hidden file was created
 A kernel module was added to /lib/modules/
 A log file in /var/log/ was removed
 Either /etc/shadow/ or /etc/gshadow was modified by a non-standard tool
 Log data in /var/log/ was deleted
 Memory files in /proc/ were accessed
 Permissions were changed on sensitive Linux files
gcp
GCP
>
gcp GCP Bucket Enumerated
gcp GCP Bucket Modified
gcp GCP Bucket Permissions Modified
gcp GCP Cloud SQL Database Modified
gcp GCP GCE Firewall Rule Modified
gcp GCP GCE Network Route Created or Modified
gcp GCP GCE VPC Network Modified
gcp GCP IAM Custom Role Created or Modified
gcp GCP IAM Policy Modified
gcp GCP Logging Sink Modified
gcp GCP Pub/Sub Subscriber Modified
gcp GCP Pub/Sub Topic Deleted
gcp GCP Service Account Created
gcp GCP Service Account Key Created
gcp GCP Unauthorized Service Account Activity
gcp GCP Unauthorized User Activity
gsuite
Gsuite
>
gsuite User Attempted Login with Leaked Password
guardduty
Guardduty
>
guardduty AWS EC2 Instance Communicated with a Malicious Server
guardduty AWS EC2 Instance Communicating Over Unusual Port
guardduty AWS EC2 Instance Communicating With a Cryptocurrency Server
guardduty AWS EC2 Instance Communicating with Malicious IP
guardduty AWS EC2 Instance Conducting a Port Scan
guardduty AWS EC2 Instance Connecting to TOR as a Relay
guardduty AWS EC2 Instance Credential Exfiltrated
guardduty AWS EC2 Instance Inbound Connections from TOR
guardduty AWS EC2 Instance Involved in Brute Force Attack
guardduty AWS EC2 Instance Network Traffic Volume Unusual
guardduty AWS EC2 Instance Outbound Connections to TOR
guardduty AWS EC2 Instance Participating in a DoS Attack
guardduty AWS EC2 Instance Probed by Scanner
guardduty AWS EC2 Instance Sending Spam Emails
guardduty AWS EC2 Instance Victim to Metadata DNS Rebind Attack
guardduty AWS IAM Principal Enumeration
guardduty AWS IAM User Anomalous Resource Consumption
guardduty AWS IAM User Attempting to Gain Persistence
guardduty AWS IAM User Changing Sensitive Configurations
guardduty AWS IAM User Disabled S3 Block Public Access
guardduty AWS IAM User Escalating Privileges
guardduty AWS IAM User Making API Requests With Hacking Tools
guardduty AWS IAM User Requests from Malicious IP
guardduty AWS IAM User Suspicious Login
guardduty AWS Root Credential Activity
iam
IAM
>
iam AWS IAM Users with Admin Privileges
iam Ensure a support role has been created to manage incidents with AWS Support
iam Ensure access keys are rotated every 90 days or less
iam Ensure IAM password policy expires passwords within 90 days or less
iam Ensure IAM password policy prevents password reuse
iam Ensure IAM password policy require at least one lowercase letter
iam Ensure IAM password policy require at least one number
iam Ensure IAM password policy require at least one symbol
iam Ensure IAM password policy requires at least one uppercase letter
iam Ensure IAM password policy requires minimum length of 14 or greater
iam Ensure IAM policies are attached only to groups or roles
iam Ensure IAM policies that allow full "*:*" administrative privileges are not created
iam Ensure MFA is enabled for the "root" account
iam Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
iam Ensure no root account access key exists
iis
IIS
>
iis IIS HTTP Requests from Security Scanner
KMS
>
Ensure rotation for customer created CMKs is enabled
kubernetes
Kubernetes
>
kubernetes Ensure that a minimal audit policy is created
kubernetes Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
kubernetes Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes Ensure that the --audit-log-path argument is set
kubernetes Ensure that the --authorization-mode argument includes Node
kubernetes Ensure that the --authorization-mode argument includes RBAC
kubernetes Ensure that the --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes Ensure that the --auto-tls argument is not set to true
kubernetes Ensure that the --basic-auth-file argument is not set
kubernetes Ensure that the --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes Ensure that the --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes Ensure that the --cert-file and --key-file arguments are set as appropriate
kubernetes Ensure that the --client-ca-file argument is set as appropriate (API server)
kubernetes Ensure that the --client-ca-file argument is set as appropriate (Kubelet)
kubernetes Ensure that the --client-cert-auth argument is set to true
kubernetes Ensure that the --encryption-provider-config argument is set as appropriate
kubernetes Ensure that the --etcd-cafile argument is set as appropriate
kubernetes Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes Ensure that the --insecure-bind-address argument is not set
kubernetes Ensure that the --insecure-port argument is set to 0
kubernetes Ensure that the --kubelet-certificate-authority argument is set as appropriate
kubernetes Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes Ensure that the --kubelet-https argument is set to true
kubernetes Ensure that the --make-iptables-util-chains argument is set to true
kubernetes Ensure that the --peer-auto-tls argument is not set to true
kubernetes Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes Ensure that the --peer-client-cert-auth argument is set to true
kubernetes Ensure that the --profiling argument is set to false (API server)
kubernetes Ensure that the --profiling argument is set to false (Controller Manager)
kubernetes Ensure that the --profiling argument is set to false (Scheduler)
kubernetes Ensure that the --protect-kernel-defaults argument is set to true
kubernetes Ensure that the --read-only-port argument is set to 0
kubernetes Ensure that the --request-timeout argument is set as appropriate
kubernetes Ensure that the --root-ca-file argument is set as appropriate
kubernetes Ensure that the --rotate-certificates argument is not set to false
kubernetes Ensure that the --secure-port argument is not set to 0
kubernetes Ensure that the --service-account-key-file argument is set as appropriate
kubernetes Ensure that the --service-account-lookup argument is set to true
kubernetes Ensure that the --service-account-private-key-file argument is set as appropriate
kubernetes Ensure that the --streaming-connection-idle-timeout argument is not set to 0
kubernetes Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes Ensure that the --token-auth-file parameter is not set
kubernetes Ensure that the --use-service-account-credentials argument is set to true
kubernetes Ensure that the admin.conf file ownership is set to root:root
kubernetes Ensure that the admin.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the admission control plugin AlwaysAdmit is not set
kubernetes Ensure that the admission control plugin NamespaceLifecycle is set
kubernetes Ensure that the admission control plugin NodeRestriction is set
kubernetes Ensure that the admission control plugin PodSecurityPolicy is set
kubernetes Ensure that the admission control plugin ServiceAccount is set
kubernetes Ensure that the anonymous-auth argument is set to false
kubernetes Ensure that the API server pod specification file ownership is set to root:root
kubernetes Ensure that the API server pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the certificate authorities file permissions are set to 644 or more restrictive
kubernetes Ensure that the client certificate authorities file ownership is set to root:root
kubernetes Ensure that the controller manager pod specification file ownership is set to root:root
kubernetes Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the controller-manager.conf file ownership is set to root:root
kubernetes Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the etcd data directory ownership is set to etcd:etcd
kubernetes Ensure that the etcd data directory permissions are set to 700 or more restrictive
kubernetes Ensure that the etcd pod specification file ownership is set to root:root
kubernetes Ensure that the etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Ensure that the kubelet configuration file ownership is set to root:root
kubernetes Ensure that the kubelet service file ownership is set to root:root
kubernetes Ensure that the kubelet service file permissions are set to 644 or more restrictive
kubernetes Ensure that the kubelet.conf file ownership is set to root:root
kubernetes Ensure that the kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Ensure that the Kubernetes PKI directory and file ownership is set to root:root
kubernetes Ensure that the proxy kubeconfig file ownership is set to root:root
kubernetes Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes Ensure that the RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes Ensure that the RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Ensure that the scheduler pod specification file ownership is set to root:root
kubernetes Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes Ensure that the scheduler.conf file ownership is set to root:root
kubernetes Ensure that the scheduler.conf file permissions are set to 644 or more restrictive
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes The default namespace should not be used
nginx
Nginx
>
nginx NGINX HTTP Requests from Security Scanner
nginx-ingress-controller
Nginx Ingress Controller
>
nginx-ingress-controller NGINX Ingress Controller HTTP Requests from Security Scanner
rds
RDS
>
rds RDS Default Port
rds RDS Encryption Disabled
redshift
Redshift
>
redshift Redshift Cluster Allow Version Upgrade
redshift Redshift Cluster Default Cluster Port
redshift Redshift Cluster Default Master Username
redshift Redshift Cluster In VPC
redshift Redshift Cluster Publicly Accessible
redshift Redshift Cluster Unencrypted
signal_sciences
Signal Sciences
>
signal_sciences Signal Sciences Flagged an IP
twistlock
Twistlock
>
twistlock Container Image Vulnerability Detected
twistlock Container Violated Compliance Standards
VPC
>
Ensure VPC flow logging is enabled in all VPCs
 Unrestricted Network ACL Inbound Traffic
 Unrestricted Network ACL Outbound Traffic
edit Edit

On this Page