User agent associated with penetration testing tool observed

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a penetration testing tool user agent is observed.

Strategy

This rule monitors cloud audit logs for requests with a user agent correlating to a penetration testing tool. While these tools may be used legitimately by an organization to assess their security posture, they can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

Triage and response

  1. Determine if your organization used any of the tools observed for its own security assessment.
  2. If the tool was used by your organization, consider adding a suppression for the penetration tool’s identity or IP address. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the tool was not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential or identity.
    • Investigate any actions taken by the identity.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc