Default Threat Detection Rules
Incident Management is now generally available! Incident Management is now generally available!

Default Threat Detection Rules

Detection rules define conditional logic that is applied to all ingested logs. When at least one case defined in a detection rule is matched over a given period of time, Datadog generates a security signal.

Datadog provides default detection rules to flag attacker techniques and potential misconfigurations so that you immediately improve your security posture. Datadog continuously develops new default detection rules, which are automatically imported into your account.

Filter by Logs Detection to see the Security monitoring rules, and filter by Runtime Agent and Cloud Configuration to see the beta Compliance monitoring rules. To request access to the beta, use this link.

All CLOUD CONFIGURATIONLOG DETECTIONRUNTIME AGENT
apache
Apache
>
apache Apache HTTP requests from security scanner
auth0
Auth0
>
auth0 Auth0 user authenticating from multiple countries
auth0 Auth0 user logged in with a breached password
auth0 Brute force attack on an Auth0 user
auth0 Credential stuffing attack on Auth0
azure
Azure
>
azure Azure AD Login Without MFA
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Login Explicitly Denied MFA
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure Policy Assignment Created
azure Azure Portal brute force login
azure Azure SQL Server Firewall Rules Created or Modified
azure Azure user invited an external user
azure Credential Stuffing Attack on Azure
cloudfront
Cloudfront
>
cloudfront Cloudfront distribution are not field-level encrypted
cloudfront Cloudfront distributions are not encrypted
cloudfront CloudFront distributions security policy is less than TLS v1.1
cloudfront CloudFront is not integrated with WAF
cloudfront CloudFront logging is not enabled
cloudfront Cloudfront viewers are not encrypted
cloudtrail
Cloudtrail
>
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CMK deleted or scheduled for deletion
cloudtrail AWS config modified
cloudtrail AWS Console brute force login
cloudtrail AWS Console login without MFA
cloudtrail AWS Console root login without MFA
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS FlowLogs removed
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS IAM policy changed
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket policy modified
cloudtrail AWS S3 Buckets enumerated
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created or modified
cloudtrail AWS unauthorized activity
cloudtrail AWS VPC created or modified
cloudtrail CloudTrail global services is disabled
cloudtrail CloudTrail log file validation is not enabled
cloudtrail CloudTrail logs are encrypted at rest using KMS CMKs
cloudtrail CloudTrail logs are not encrypted
cloudtrail CloudTrail multi-region is not enabled
cloudtrail CloudTrail trail file integration validation is not enabled
docker
Docker
>
docker 'on-failure' container restart policy is set to '5'
docker /etc/default/docker auditing is configured
docker /etc/default/docker file ownership is set to root:root
docker /etc/default/docker file permissions are set to 644 or more restrictively
docker /etc/docker auditing is configured
docker /etc/docker directory ownership is set to root:root
docker /etc/docker directory permissions are set to 755 or more restrictively
docker /etc/docker/daemon.json auditing is configured
docker /etc/sysconfig/docker auditing is configured
docker /etc/sysconfig/docker file ownership is set to root:root
docker /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker /usr/bin/containerd auditing is configured
docker /usr/sbin/runc auditing is configured
docker /var/lib/docker auditing is configured
docker A separate partition for containers has been created
docker A user for the container has been created
docker An AppArmor Profile is enabled
docker Auditing is configured for the Docker daemon
docker aufs storage driver is not used
docker cgroup usage is confirmed
docker Container health is checked at runtime
docker Container is restricted from acquiring additional privileges
docker Container's root filesystem is mounted as read only
docker CPU priority is set appropriately on containers
docker daemon.json file ownership is set to root:root
docker daemon.json file permissions are set to 644 or more restrictive
docker Default seccomp profile is not Disabled
docker Docker is allowed to make changes to iptables
docker Docker server certificate file ownership is set to root:root
docker Docker server certificate file permissions are set to 444 or more restrictively
docker Docker server certificate key file ownership is set to root:root
docker Docker server certificate key file permissions are set to 400
docker Docker socket file ownership is set to root:docker
docker Docker socket file permissions are set to 660 or more restrictively
docker Docker socket is not mounted inside any containers
docker docker.service auditing is configured
docker docker.service file ownership is set to root:root
docker docker.service file permissions are appropriately set
docker docker.socket auditing is configured
docker docker.socket file ownership is set to root:root
docker docker.socket file permissions are set to 644 or more restrictive
docker HEALTHCHECK instructions have been added to container images
docker Host's IPC namespace is not shared
docker Host's network namespace is not shared
docker Host's process namespace is not shared
docker Host's user namespaces are not shared
docker Host's UTS namespace is not shared
docker Insecure registries are not used
docker Linux kernel capabilities are restricted within containers
docker Logging level is set to 'info'
docker Memory usage for containers is limited
docker Network traffic is restricted between containers on the default bridge
docker Only trusted users are allowed to control Docker daemon
docker PIDs cgroup limit is used
docker Privileged containers are not used
docker Privileged ports are not mapped within containers
docker Registry certificate file ownership is set to root:root
docker Registry certificate file permissions are set to 444 or more restrictively
docker SELinux security options are set
docker Sensitive host system directories are not mounted on containers
docker TLS authentication for Docker daemon is configured
docker TLS CA certificate file ownership is set to root:root
docker TLS CA certificate file permissions are set to 444 or more restrictively
ec2
EC2
>
ec2 Unrestricted access to port 3389
ec2 Unrestricted inbound CIFS access
ec2 Unrestricted inbound DNS access
ec2 Unrestricted inbound Elasticsearch access
ec2 Unrestricted inbound FTP access
ec2 Unrestricted inbound HTTP access
ec2 Unrestricted inbound HTTPS access
ec2 Unrestricted inbound ICMP access
ec2 Unrestricted inbound MongoDB access
ec2 Unrestricted inbound MSSQL access
ec2 Unrestricted inbound MySQL access
ec2 Unrestricted inbound Oracle access
ec2 Unrestricted inbound RPC access
ec2 Unrestricted inbound SMTP access
ec2 Unrestricted inbound SSH access
ec2 Unrestricted inbound TCP NetBIOS access
ec2 Unrestricted inbound Telnet access
ec2 Unrestricted inbound UDP NetBIOS access
ec2 Unrestricted outbound access on all ports
ec2 UUnrestricted inbound PostgreSQL access
ec2 VPC default security groups not restricting all traffic
elb
ELB
>
elb AWS ELB HTTP requests from security scanner
fastly
Fastly
>
fastly Fastly HTTP Requests from Security Scanner
File Integrity Monitoring
>
File Integrity Monitoring A hidden file was created
File Integrity Monitoring A kernel module was added to /lib/modules/
File Integrity Monitoring A log file in /var/log/ was removed
File Integrity Monitoring Critical System Binaries
File Integrity Monitoring Cron AT Job Creation
File Integrity Monitoring Either /etc/shadow/ or /etc/gshadow was modified by a non-standard tool
File Integrity Monitoring Kernel Modification
File Integrity Monitoring Log data in /var/log/ was deleted
File Integrity Monitoring Memory files in /proc/ were accessed
File Integrity Monitoring Nsswitch Configuration Modified
File Integrity Monitoring PAM Configuration Files Modification
File Integrity Monitoring Permissions were changed on sensitive Linux files
File Integrity Monitoring SSH Authorized Keys Modified
File Integrity Monitoring SSL Certificate Tampering
File Integrity Monitoring Systemd Modification
gcp
GCP
>
gcp GCP Bucket enumerated
gcp GCP Bucket modified
gcp GCP Bucket permissions modified
gcp GCP Cloud SQL database modified
gcp GCP GCE Firewall rule modified
gcp GCP GCE network route created or modified
gcp GCP GCE VPC network modified
gcp GCP IAM custom role created or modified
gcp GCP IAM policy modified
gcp GCP logging sink modified
gcp GCP Pub/Sub Subscriber modified
gcp GCP Pub/Sub topic deleted
gcp GCP service account created
gcp GCP service account key created
gcp GCP unauthorized service account activity
gcp GCP unauthorized user activity
gsuite
Gsuite
>
gsuite User attempted login with leaked password
guardduty
Guardduty
>
guardduty AWS EC2 instance communicated with a malicious server
guardduty AWS EC2 instance communicating over unusual port
guardduty AWS EC2 instance communicating with a cryptocurrency server
guardduty AWS EC2 instance communicating with malicious IP
guardduty AWS EC2 instance conducting a port scan
guardduty AWS EC2 instance connecting to TOR as a relay
guardduty AWS EC2 instance credential exfiltrated
guardduty AWS EC2 instance inbound connections from TOR
guardduty AWS EC2 instance involved in brute force attack
guardduty AWS EC2 instance network traffic volume unusual
guardduty AWS EC2 instance outbound connections to TOR
guardduty AWS EC2 instance participating in a DoS attack
guardduty AWS EC2 instance probed by scanner
guardduty AWS EC2 instance Sending spam emails
guardduty AWS EC2 Instance Victim to Metadata DNS Rebind Attack
guardduty AWS IAM principal enumeration
guardduty AWS IAM user anomalous resource consumption
guardduty AWS IAM user attempting to gain persistence
guardduty AWS IAM user changing sensitive configurations
guardduty AWS IAM user disabled S3 Block Public Access
guardduty AWS IAM user escalating privileges
guardduty AWS IAM user making API requests with hacking tools
guardduty AWS IAM user requests from malicious IP
guardduty AWS IAM user suspicious login
guardduty AWS Root credential activity
iam
IAM
>
iam A support role isn't set up to manage incidents with AWS Support
iam Access keys are not rotating every 90 days or less
iam IAM policies attached to individual users
iam IAM policies that allow full "*:*" administrative privileges are not created
iam IAM policy for password length is not set
iam IAM policy is not set to expire passwords within 90 days or less
iam IAM policy is not set to prevent password reuse
iam IAM policy is not set to require at least one lowercase letter
iam IAM policy is not set to require at least one number
iam IAM policy is not set to require at least one symbol
iam IAM policy is not set to require uppercase characters
iam IAM privileged user has admin permissions for your AWS account
iam MFA is not enabled for the "root" account
iam Multi-factor authentication is not enabled for all IAM users with a console password
iam No root account access key exists
iis
IIS
>
iis IIS HTTP requests from security scanner
kms
KMS
>
kms Rotation for customer created CMKs is not enabled
kubernetes
Kubernetes
>
kubernetes --audit-log-maxage argument is set to 30 or as appropriate
kubernetes --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes --audit-log-path argument is set
kubernetes --authorization-mode argument includes Node
kubernetes --authorization-mode argument includes RBAC
kubernetes --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes --auto-tls argument is not set to true
kubernetes --basic-auth-file argument is not set
kubernetes --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes --cert-file and --key-file arguments are set as appropriate
kubernetes --client-ca-file argument is set as appropriate (API server)
kubernetes --client-ca-file argument is set as appropriate (Kubelet)
kubernetes --client-cert-auth argument is set to true
kubernetes --encryption-provider-config argument is set as appropriate
kubernetes --etcd-cafile argument is set as appropriate
kubernetes --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes --insecure-bind-address argument is not set
kubernetes --insecure-port argument is set to 0
kubernetes --kubelet-certificate-authority argument is set as appropriate
kubernetes --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes --kubelet-https argument is set to true
kubernetes --make-iptables-util-chains argument is set to true
kubernetes --peer-auto-tls argument is not set to true
kubernetes --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes --peer-client-cert-auth argument is set to true
kubernetes --profiling argument is set to false (API server)
kubernetes --profiling argument is set to false (Controller Manager)
kubernetes --profiling argument is set to false (Scheduler)
kubernetes --protect-kernel-defaults argument is set to true
kubernetes --read-only-port argument is set to 0
kubernetes --request-timeout argument is set as appropriate
kubernetes --root-ca-file argument is set as appropriate
kubernetes --rotate-certificates argument is not set to false
kubernetes --secure-port argument is not set to 0
kubernetes --service-account-key-file argument is set as appropriate
kubernetes --service-account-lookup argument is set to true
kubernetes --service-account-private-key-file argument is set as appropriate
kubernetes --streaming-connection-idle-timeout argument is not set to 0
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes --token-auth-file parameter is not set
kubernetes --use-service-account-credentials argument is set to true
kubernetes admin.conf file ownership is set to root:root
kubernetes admin.conf file permissions are set to 644 or more restrictive
kubernetes Admission control plugin AlwaysAdmit is not set
kubernetes Admission control plugin NamespaceLifecycle is set
kubernetes Admission control plugin NodeRestriction is set
kubernetes Admission control plugin PodSecurityPolicy is set
kubernetes Admission control plugin ServiceAccount is set
kubernetes All namespaces have network policies defined
kubernetes Anonymous Request Authorized
kubernetes Anonymous-auth argument is set to false
kubernetes API server pod specification file ownership is set to root:root
kubernetes API server pod specification file permissions are set to 644 or more restrictive
kubernetes Certificate authorities file permissions are set to 644 or more restrictive
kubernetes Client certificate authorities file ownership is set to root:root
kubernetes Controller manager pod specification file ownership is set to root:root
kubernetes Controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes controller-manager.conf file ownership is set to root:root
kubernetes controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes Default service accounts are not actively used
kubernetes etcd data directory ownership is set to etcd:etcd
kubernetes etcd data directory permissions are set to 700 or more restrictive
kubernetes etcd pod specification file ownership is set to root:root
kubernetes etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Kubelet configuration file ownership is set to root:root
kubernetes Kubelet service file ownership is set to root:root
kubernetes Kubelet service file permissions are set to 644 or more restrictive
kubernetes kubelet.conf file ownership is set to root:root
kubernetes kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI directory and file ownership is set to root:root
kubernetes Kubernetes Pod Created in Kube Namespace
kubernetes Kubernetes Pod Created with hostNetwork
kubernetes Kubernetes Service Account Created in Kube Namespace
kubernetes Kubernetes Service Created with NodePort
kubernetes Minimal audit policy is created
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes New Kubernetes Namespace Created
kubernetes Proxy kubeconfig file ownership is set to root:root
kubernetes Proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Scheduler pod specification file ownership is set to root:root
kubernetes Scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes scheduler.conf file ownership is set to root:root
kubernetes scheduler.conf file permissions are set to 644 or more restrictive
kubernetes The default namespace should not be used
kubernetes User Attached to a Pod
kubernetes User Exec into a Pod
microsoft-365
Microsoft 365
>
microsoft-365 Microsoft 365 OneDrive Anonymous Link Created
microsoft-365 Microsoft 365 SharePoint object shared with guest
microsoft-365 Microsoft 365 Teams app installed
nginx
Nginx
>
nginx NGINX HTTP requests from security scanner
nginx-ingress-controller
Nginx Ingress Controller
>
nginx-ingress-controller NGINX ingress controller HTTP requests from security scanner
okta
Okta
>
okta Okta API Token Created or Enabled
okta Okta MFA Bypass Attempted
okta Okta User Attempted to Access Unauthorized App
rds
RDS
>
rds RDS database instances are not encrypted
rds RDS instance with default port
redshift
Redshift
>
redshift Redshift cluster is not encrypted
redshift Redshift cluster is not publicly accessible
redshift Redshift cluster is not using a custom master user name
redshift Redshift cluster is not using the EC2-VPC platform
redshift Redshift cluster is using a default port
redshift Version upgrade is not enabled for a Redshift cluster
route53
Route53
>
route53 EC2 instance requested a suspicious domain
route53 EC2 instance resolved a suspicious AWS metadata DNS query
signal_sciences
Signal Sciences
>
signal_sciences Signal Sciences flagged an IP
twistlock
Twistlock
>
twistlock Container image vulnerability detected
twistlock Container violated compliance standards
VPC
>
vpc Unrestricted network ACL inbound traffic
vpc Unrestricted network ACL outbound traffic
vpc VPC flow logging is enabled in all VPCs
edit Edit

On this Page