OOTB Rules

OOTB Rules

Datadog provides out-of-the-box (OOTB) rules to flag attacker techniques and potential misconfigurations so that you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account.

Filter by Logs Detection to see the Cloud SIEM rules, Workload Security to see Cloud Security Workload rules, Cloud Configuration or Infrastructure Configuration to see the Cloud Security Posture rules.

cloudtrail
Cloudtrail
>
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket lifecycle policy was deleted
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail Anomalous AWS user executed a command on ECS container
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CMK deleted or scheduled for deletion
cloudtrail AWS config modified
cloudtrail AWS Console brute force login
cloudtrail AWS Console login without MFA
cloudtrail AWS Console root login without MFA
cloudtrail AWS Detective Graph deleted
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS FlowLogs removed
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS IAM policy changed
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket Policy Made Public
cloudtrail AWS S3 Bucket policy modified
cloudtrail AWS S3 Buckets enumerated
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created or modified
cloudtrail AWS Security Group Open to the World
cloudtrail AWS Security Hub disabled
cloudtrail AWS unauthorized activity
cloudtrail AWS VPC created or modified
cloudtrail CloudTrail global services are enabled
cloudtrail CloudTrail log file validation is enabled
cloudtrail CloudTrail logs are encrypted at rest using KMS CMKs
cloudtrail CloudTrail multi-region is enabled
cloudtrail New AWS Account Seen Assuming a Role into AWS Account
cloudtrail New EC2 Instance Type
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail S3 bucket access logging is enabled on the CloudTrail S3 bucket
docker
Docker
>
docker 'on-failure' container restart policy is set to '5'
docker /etc/default/docker auditing is configured
docker /etc/default/docker file ownership is set to root:root
docker /etc/default/docker file permissions are set to 644 or more restrictively
docker /etc/docker auditing is configured
docker /etc/docker directory ownership is set to root:root
docker /etc/docker directory permissions are set to 755 or more restrictively
docker /etc/docker/daemon.json auditing is configured
docker /etc/sysconfig/docker auditing is configured
docker /etc/sysconfig/docker file ownership is set to root:root
docker /etc/sysconfig/docker file permissions are set to 644 or more restrictively
docker /usr/bin/containerd auditing is configured
docker /usr/sbin/runc auditing is configured
docker /var/lib/docker auditing is configured
docker A separate partition for containers has been created
docker A user for the container has been created
docker An AppArmor Profile is enabled
docker Auditing is configured for the Docker daemon
docker aufs storage driver is not used
docker cgroup usage is confirmed
docker Container health is checked at runtime
docker Container is restricted from acquiring additional privileges
docker Container's root filesystem is mounted as read only
docker CPU priority is set appropriately on containers
docker daemon.json file ownership is set to root:root
docker daemon.json file permissions are set to 644 or more restrictive
docker Default seccomp profile is not Disabled
docker Docker is allowed to make changes to iptables
docker Docker server certificate file ownership is set to root:root
docker Docker server certificate file permissions are set to 444 or more restrictively
docker Docker server certificate key file ownership is set to root:root
docker Docker server certificate key file permissions are set to 400
docker Docker socket file ownership is set to root:docker
docker Docker socket file permissions are set to 660 or more restrictively
docker Docker socket is not mounted inside any containers
docker docker.service auditing is configured
docker docker.service file ownership is set to root:root
docker docker.service file permissions are appropriately set
docker docker.socket auditing is configured
docker docker.socket file ownership is set to root:root
docker docker.socket file permissions are set to 644 or more restrictive
docker HEALTHCHECK instructions have been added to container images
docker Host's IPC namespace is not shared
docker Host's network namespace is not shared
docker Host's process namespace is not shared
docker Host's user namespaces are not shared
docker Host's UTS namespace is not shared
docker Insecure registries are not used
docker Linux kernel capabilities are restricted within containers
docker Logging level is set to 'info'
docker Memory usage for containers is limited
docker Network traffic is restricted between containers on the default bridge
docker Only trusted users are allowed to control Docker daemon
docker PIDs cgroup limit is used
docker Privileged containers are not used
docker Privileged ports are not mapped within containers
docker Registry certificate file ownership is set to root:root
docker Registry certificate file permissions are set to 444 or more restrictively
docker SELinux security options are set
docker Sensitive host system directories are not mounted on containers
docker TLS authentication for Docker daemon is configured
docker TLS CA certificate file ownership is set to root:root
docker TLS CA certificate file permissions are set to 444 or more restrictively
kubernetes
Kubernetes
>
kubernetes --audit-log-maxage argument is set to 30 or as appropriate
kubernetes --audit-log-maxbackup argument is set to 10 or as appropriate
kubernetes --audit-log-maxsize argument is set to 100 or as appropriate
kubernetes --audit-log-path argument is set
kubernetes --authorization-mode argument includes Node
kubernetes --authorization-mode argument includes RBAC
kubernetes --authorization-mode argument is not set to AlwaysAllow (API server)
kubernetes --authorization-mode argument is not set to AlwaysAllow (Kubelet)
kubernetes --auto-tls argument is not set to true
kubernetes --basic-auth-file argument is not set
kubernetes --bind-address argument is set to 127.0.0.1 (Controller Manager)
kubernetes --bind-address argument is set to 127.0.0.1 (Scheduler)
kubernetes --cert-file and --key-file arguments are set as appropriate
kubernetes --client-ca-file argument is set as appropriate (API server)
kubernetes --client-ca-file argument is set as appropriate (Kubelet)
kubernetes --client-cert-auth argument is set to true
kubernetes --encryption-provider-config argument is set as appropriate
kubernetes --etcd-cafile argument is set as appropriate
kubernetes --etcd-certfile and --etcd-keyfile arguments are set as appropriate
kubernetes --insecure-bind-address argument is not set
kubernetes --insecure-port argument is set to 0
kubernetes --kubelet-certificate-authority argument is set as appropriate
kubernetes --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
kubernetes --kubelet-https argument is set to true
kubernetes --make-iptables-util-chains argument is set to true
kubernetes --peer-auto-tls argument is not set to true
kubernetes --peer-cert-file and --peer-key-file arguments are set as appropriate
kubernetes --peer-client-cert-auth argument is set to true
kubernetes --profiling argument is set to false (API server)
kubernetes --profiling argument is set to false (Controller Manager)
kubernetes --profiling argument is set to false (Scheduler)
kubernetes --protect-kernel-defaults argument is set to true
kubernetes --read-only-port argument is set to 0
kubernetes --request-timeout argument is set as appropriate
kubernetes --root-ca-file argument is set as appropriate
kubernetes --rotate-certificates argument is not set to false
kubernetes --secure-port argument is not set to 0
kubernetes --service-account-key-file argument is set as appropriate
kubernetes --service-account-lookup argument is set to true
kubernetes --service-account-private-key-file argument is set as appropriate
kubernetes --streaming-connection-idle-timeout argument is not set to 0
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (API server)
kubernetes --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Kubelet)
kubernetes --token-auth-file parameter is not set
kubernetes --use-service-account-credentials argument is set to true
kubernetes admin.conf file ownership is set to root:root
kubernetes admin.conf file permissions are set to 644 or more restrictive
kubernetes Admission control plugin AlwaysAdmit is not set
kubernetes Admission control plugin NamespaceLifecycle is set
kubernetes Admission control plugin NodeRestriction is set
kubernetes Admission control plugin PodSecurityPolicy is set
kubernetes Admission control plugin ServiceAccount is set
kubernetes All namespaces have network policies defined
kubernetes Anonymous Request Authorized
kubernetes Anonymous-auth argument is set to false
kubernetes API server pod specification file ownership is set to root:root
kubernetes API server pod specification file permissions are set to 644 or more restrictive
kubernetes Certificate authorities file permissions are set to 644 or more restrictive
kubernetes Client certificate authorities file ownership is set to root:root
kubernetes Controller manager pod specification file ownership is set to root:root
kubernetes Controller manager pod specification file permissions are set to 644 or more restrictive
kubernetes controller-manager.conf file ownership is set to root:root
kubernetes controller-manager.conf file permissions are set to 644 or more restrictive
kubernetes Default service accounts are not actively used
kubernetes etcd data directory ownership is set to etcd:etcd
kubernetes etcd data directory permissions are set to 700 or more restrictive
kubernetes etcd pod specification file ownership is set to root:root
kubernetes etcd pod specification file permissions are set to 644 or more restrictive
kubernetes Kubelet configuration file has permissions set to 644 or more restrictive
kubernetes Kubelet configuration file ownership is set to root:root
kubernetes Kubelet service file ownership is set to root:root
kubernetes Kubelet service file permissions are set to 644 or more restrictive
kubernetes kubelet.conf file ownership is set to root:root
kubernetes kubelet.conf file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI certificate file permissions are set to 644 or more restrictive
kubernetes Kubernetes PKI directory and file ownership is set to root:root
kubernetes Kubernetes Pod Created in Kube Namespace
kubernetes Kubernetes Pod Created with hostNetwork
kubernetes Kubernetes Service Account Created in Kube Namespace
kubernetes Kubernetes Service Created with NodePort
kubernetes Minimal audit policy is created
kubernetes Minimize the admission of containers wishing to share the host IPC namespace
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers wishing to share the host process ID namespace
kubernetes Minimize the admission of containers with allowPrivilegeEscalation
kubernetes New Kubernetes Namespace Created
kubernetes New Kubernetes privileged pod created
kubernetes Proxy kubeconfig file ownership is set to root:root
kubernetes Proxy kubeconfig file permissions are set to 644 or more restrictive
kubernetes RotateKubeletServerCertificate argument is set to true (Controller Manager)
kubernetes RotateKubeletServerCertificate argument is set to true (Kubelet)
kubernetes Scheduler pod specification file ownership is set to root:root
kubernetes Scheduler pod specification file permissions are set to 644 or more restrictive
kubernetes scheduler.conf file ownership is set to root:root
kubernetes scheduler.conf file permissions are set to 644 or more restrictive
kubernetes The default namespace should not be used
kubernetes User Attached to a Pod
kubernetes User Exec into a Pod