Rules for Cloud Workload Security (CWS) are first evaluated in the Datadog Agent to decide what system activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
<trigger>.<event-attribute> <operator> <value> <event-attribute> ...
Using this format, an example rule looks like this:
open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]
Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
|SECL Event||Type||Definition||Agent Version|
|Process||A process was executed or forked||7.27|
|File||A file was opened||7.27|
|File||A file’s permissions were changed||7.27|
|File||A file’s owner was changed||7.27|
|File||A directory was created||7.27|
|File||A directory was removed||7.27|
|File||A file/directory was renamed||7.27|
|File||A file was deleted||7.27|
|File||Change file access/modification times||7.27|
|File||Create a new name/alias for a file||7.27|
|File||Set exteneded attributes||7.27|
|File||Remove extended attributes||7.27|
|File||Mount a filesystem||7.27|
|File||Unmount a filesystem||7.27|
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
|SECL Operator||Types||Definition||Agent Version|
|File||Greater or equal||7.27|
|File||Lesser or equal||7.27|
|File||Element is contained in list||7.27|
|File||Element is not contained in list||7.27|
|File||Regex pattern is (not) contained in list||7.27|
Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.
The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.
args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.
versionis part of args_flags for the command
nboth are in args_flags for the command
args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.
width=8both are in args_options for the command
ls -T 8 --width=8
exec.args_options ~= [ “s=.*\’” ]can be used to detect
sudoeditwas launched with
-sargument and a command that ends with a
The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the
Additional helpful documentation, links, and articles: