OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Monitoring library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of the Datadog Security Platform. OOTB rules are available for Cloud SIEM, Posture Management, which is divided into cloud or infrastructure configuration, Workload Security, and Application Security Monitoring.

azure.activity_log
Azure.Activity Log
>
azure.activity_log User has 'Create or Update Load Balancer' activity log alert configured
azure.activity_log User has 'Create or Update Network Security Group Rule' activity log alert configured
azure.activity_log User has 'Create or Update Network Security Group' activity log alert configured
azure.activity_log User has 'Create or Update or Delete SQL Server Firewall Rule' activity log alert configured
azure.activity_log User has 'Create or Update Security Solutions' activity log alert configured
azure.activity_log User has 'Create or Update Storage Accounts' activity log alert configured
azure.activity_log User has 'Create or Update Virtual Machines' activity log alert configured
azure.activity_log User has 'Create Policy Assignement' activity log alert configured
azure.activity_log User has 'Create Update Azure SQL Database' activity log alert configured
azure.activity_log User has 'Create Update MySQL Database' activity log alert configured
azure.activity_log User has 'Create Update PostgreSQL Database' activity log alert configured
azure.activity_log User has 'Deallocate Virtual Machines' activity log alert configured
azure.activity_log User has 'Delete Azure SQL Database' activity log alert configured
azure.activity_log User has 'Delete Key Vault' activity log alert configured
azure.activity_log User has 'Delete Load Balancer' activity log alert configured
azure.activity_log User has 'Delete MySQL Database' activity log alert configured
azure.activity_log User has 'Delete Network Security Group Rule' activity log alert configured
azure.activity_log User has 'Delete Network Security Group' activity log alert configured
azure.activity_log User has 'Delete Policy Assignement' activity log alert configured
azure.activity_log User has 'Delete PostgreSQL Database' activity log alert configured
azure.activity_log User has 'Delete Security Solution' activity log alert configured
azure.activity_log User has 'Delete Storage Accounts' activity log alert configured
azure.activity_log User has 'Delete Virtual Machines' activity log alert configured
azure.activity_log User has 'Power Off Virtual Machine' activity log alert configured
azure.activity_log User has 'Rename Azure SQL Database' activity log alert configured
azure.activity_log User has 'Update Key Vault' activity log alert configured
azure.activity_log User has 'Update Security Policy' activity log alert configured
cloudtrail
Cloudtrail
>
cloudtrail A user received multiple AccessDenied errors
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket lifecycle policy was deleted
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS Console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS FlowLogs removed
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM policy changed
cloudtrail AWS IAM privileged policy was applied to a group
cloudtrail AWS IAM privileged policy was applied to a role
cloudtrail AWS IAM privileged policy was applied to a user
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL Made Public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS VPC created or modified
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail global services are enabled
cloudtrail CloudTrail log file validation is enabled
cloudtrail CloudTrail logs are encrypted at rest using KMS CMKs
cloudtrail CloudTrail multi-region is enabled
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New AWS Account Seen Assuming a Role into AWS Account
cloudtrail New EC2 Instance Type
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible Privilege Escalation via AWS IAM CreateLoginProfile
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging is enabled on the CloudTrail S3 bucket
cloudtrail S3 bucket policy modified
cloudtrail Security group open to the world
cloudtrail User travel was impossible in AWS CloudTrail IAM log
docker
Docker
>
docker 'on-failure' container restart policy is set to '5'
docker /etc/default/docker auditing is configured
docker /etc/default/docker file ownership is set to root:root
docker /etc/default/docker file permissions are set to 644 or more restrictively
docker /etc/docker auditing is configured
docker /etc/docker directory ownership is set to root:root
docker /etc/docker directory permissions are set to 755 or more restrictively
docker /etc/docker/daemon.json auditing is configured
docker /etc/sysconfig/docker auditing is configured
docker /etc/sysconfig/docker file ownership is set to root:root
docker /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker /usr/bin/containerd auditing is configured
docker /usr/sbin/runc auditing is configured
docker /var/lib/docker auditing is configured
docker A separate partition for containers has been created
docker A user for the container has been created
docker An AppArmor Profile is enabled
docker Auditing is configured for the Docker daemon
docker aufs storage driver is not used
docker cgroup usage is confirmed
docker Container health is checked at runtime
docker Container is restricted from acquiring additional privileges
docker Container's root filesystem is mounted as read only
docker CPU priority is set appropriately on containers
docker daemon.json file ownership is set to root:root
docker daemon.json file permissions are set to 644 or more restrictive
docker Default seccomp profile is not Disabled
docker Docker is allowed to make changes to iptables
docker Docker server certificate file ownership is set to root:root
docker Docker server certificate file permissions are set to 444 or more restrictively
docker Docker server certificate key file ownership is set to root:root
docker Docker server certificate key file permissions are set to 400
docker Docker socket file ownership is set to root:docker
docker Docker socket file permissions are set to 660 or more restrictively
docker Docker socket is not mounted inside any containers
docker docker.service auditing is configured
docker docker.service file ownership is set to root:root
docker docker.service file permissions are appropriately set
docker docker.socket auditing is configured
docker docker.socket file ownership is set to root:root
docker docker.socket file permissions are set to 644 or more restrictive
docker HEALTHCHECK instructions have been added to container images
docker Host's IPC namespace is not shared
docker Host's network namespace is not shared
docker Host's process namespace is not shared
docker Host's user namespaces are not shared
docker Host's UTS namespace is not shared
docker Insecure registries are not used
docker Linux kernel capabilities are restricted within containers
docker Logging level is set to 'info'
docker Memory usage for containers is limited
docker Network traffic is restricted between containers on the default bridge
docker Only trusted users are allowed to control Docker daemon
docker PIDs cgroup limit is used
docker Privileged containers are not used
docker Privileged ports are not mapped within containers
docker Registry certificate file ownership is set to root:root
docker Registry certificate file permissions are set to 444 or more restrictively
docker SELinux security options are set
docker Sensitive host system directories are not mounted on containers
docker TLS authentication for Docker daemon is configured
docker TLS CA certificate file ownership is set to root:root
docker TLS CA certificate file permissions are set to 444 or more restrictively
kubernetes
Kubernetes
>
kubernetes --audit-log-maxage argument is set to 30 or as appropriate
kubernetes --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes --audit-log-path argument is set
kubernetes --authorization-mode argument includes Node
kubernetes --authorization-mode argument includes RBAC
kubernetes --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes --auto-tls argument is not set to true
kubernetes --basic-auth-file argument is not set
kubernetes --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes --cert-file and --key-file arguments are set as appropriate
kubernetes --client-ca-file argument is set as appropriate (API server)
kubernetes --client-ca-file argument is set as appropriate (Kubelet)
kubernetes --client-cert-auth argument is set to true
kubernetes --encryption-provider-config argument is set as appropriate
kubernetes --etcd-cafile argument is set as appropriate
kubernetes --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes --insecure-bind-address argument is not set
kubernetes --insecure-port argument is set to 0
kubernetes --kubelet-certificate-authority argument is set as appropriate
kubernetes --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes --kubelet-https argument is set to true
kubernetes --make-iptables-util-chains argument is set to true
kubernetes --peer-auto-tls argument is not set to true
kubernetes --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes --peer-client-cert-auth argument is set to true
kubernetes --profiling argument is set to false (API server)
kubernetes --profiling argument is set to false (Controller Manager)
kubernetes --profiling argument is set to false (Scheduler)
kubernetes --protect-kernel-defaults argument is set to true
kubernetes --read-only-port argument is set to 0
kubernetes --request-timeout argument is set as appropriate
kubernetes --root-ca-file argument is set as appropriate
kubernetes --rotate-certificates argument is not set to false
kubernetes --secure-port argument is not set to 0
kubernetes --service-account-key-file argument is set as appropriate
kubernetes --service-account-lookup argument is set to true
kubernetes --service-account-private-key-file argument is set as appropriate
kubernetes --streaming-connection-idle-timeout argument is not set to 0
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes --token-auth-file parameter is not set
kubernetes --use-service-account-credentials argument is set to true
kubernetes A Kubernetes user attempted to perform a high number of actions that were denied
kubernetes A Kubernetes user was assigned cluster administrator permissions
kubernetes A new Kubernetes admission controller was created
kubernetes admin.conf file ownership is set to root:root
kubernetes admin.conf file permissions are set to 644 or more restrictive
kubernetes Admission control plugin AlwaysAdmit is not set
kubernetes Admission control plugin NamespaceLifecycle is set
kubernetes Admission control plugin NodeRestriction is set
kubernetes Admission control plugin PodSecurityPolicy is set
kubernetes Admission control plugin ServiceAccount is set
kubernetes All namespaces have network policies defined
kubernetes Anonymous Request Authorized
kubernetes Anonymous-auth argument is set to false
kubernetes API server pod specification file ownership is set to root:root
kubernetes API server pod specification file permissions are set to 644 or more restrictive
kubernetes Certificate authorities file permissions are set to 644 or more restrictive
kubernetes Client certificate authorities file ownership is set to root:root
kubernetes Controller manager pod specification file ownership is set to root:root
kubernetes Controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes controller-manager.conf file ownership is set to root:root
kubernetes controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes Default service accounts are not actively used
kubernetes etcd data directory ownership is set to etcd:etcd
kubernetes etcd data directory permissions are set to 700 or more restrictive
kubernetes etcd pod specification file ownership is set to root:root
kubernetes etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Kubelet configuration file ownership is set to root:root
kubernetes Kubelet service file ownership is set to root:root
kubernetes Kubelet service file permissions are set to 644 or more restrictive
kubernetes kubelet.conf file ownership is set to root:root
kubernetes kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI directory and file ownership is set to root:root
kubernetes Kubernetes Pod Created in Kube Namespace
kubernetes Kubernetes Pod Created with hostNetwork
kubernetes Kubernetes principal attempted to enumerate their permissions
kubernetes Kubernetes Service Account Created in Kube Namespace
kubernetes Kubernetes Service Created with NodePort
kubernetes Minimal audit policy is created
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes New Kubernetes Namespace Created
kubernetes New Kubernetes privileged pod created
kubernetes Proxy kubeconfig file ownership is set to root:root
kubernetes Proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Scheduler pod specification file ownership is set to root:root
kubernetes Scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes scheduler.conf file ownership is set to root:root
kubernetes scheduler.conf file permissions are set to 644 or more restrictive
kubernetes The default namespace should not be used
kubernetes User Attached to a Pod
kubernetes User Exec into a Pod