Windows Agent attributes and helpers

This documentation describes Windows attributes and helpers of the Datadog’s Security Language (SECL).

Rules using Windows attributes and helpers must include an OS rule filter field as follows.

id: [...]
expression: [...]
filters:
  - os == "windows"

Triggers

Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

Variables

SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a process.pid variable looks like this:

open.file.path == "/proc/${process.pid}/maps"

List of the available variables:

Event attributes

Common to all event types

Event change_permission

A permission change was made

Event create

A file was created

Event create_key

A registry key was created

Event delete

A file was deleted

Event delete_key

A registry key was deleted

Event exec

A process was executed or forked

Event exit

A process was terminated

Event open_key

A registry key was opened

Event rename

A file was renamed

Event set_key_value

A registry key value was set

Event write

A file was written

Attributes documentation

*.cmdline

Type: string

Definition: Command line of the process

*.cmdline has 5 possible prefixes: exec exit process process.ancestors process.parent

Example:

exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"

Matches any process with these exact arguments.

Example:

exec.cmdline =~ "* -F * http*"

Matches any process that has the “-F” argument anywhere before an argument starting with “http”.

*.container.id

Type: string

Definition: Container ID

*.container.id has 5 possible prefixes: exec exit process process.ancestors process.parent

*.created_at

Type: int

Definition: Timestamp of the creation of the process

*.created_at has 5 possible prefixes: exec exit process process.ancestors process.parent

*.device_path

Type: string

Definition: File’s path

*.device_path has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.device_path == "\device\harddisk1\cmd.bat"

Matches the creation of the file located at c:\cmd.bat

*.envp

Type: string

Definition: Environment variables of the process

*.envp has 5 possible prefixes: exec exit process process.ancestors process.parent

*.envs

Type: string

Definition: Environment variable names of the process

*.envs has 5 possible prefixes: exec exit process process.ancestors process.parent

*.key_name

Type: string

Definition: Registry’s name

*.key_name has 8 possible prefixes: create.registry create_key.registry delete.registry delete_key.registry open.registry open_key.registry set.registry set_key_value.registry

*.key_path

Type: string

Definition: Registry’s path

*.key_path has 8 possible prefixes: create.registry create_key.registry delete.registry delete_key.registry open.registry open_key.registry set.registry set_key_value.registry

*.length

Type: int

Definition: Length of the corresponding string

*.length has 43 possible prefixes: create.file.device_path create.file.name create.file.path create.registry.key_name create.registry.key_path create_key.registry.key_name create_key.registry.key_path delete.file.device_path delete.file.name delete.file.path delete.registry.key_name delete.registry.key_path delete_key.registry.key_name delete_key.registry.key_path exec.file.name exec.file.path exit.file.name exit.file.path open.registry.key_name open.registry.key_path open_key.registry.key_name open_key.registry.key_path process.ancestors.file.name process.ancestors.file.path process.file.name process.file.path process.parent.file.name process.parent.file.path rename.file.destination.device_path rename.file.destination.name rename.file.destination.path rename.file.device_path rename.file.name rename.file.path set.registry.key_name set.registry.key_path set.registry.value_name set_key_value.registry.key_name set_key_value.registry.key_path set_key_value.registry.value_name write.file.device_path write.file.name write.file.path

*.name

Type: string

Definition: File’s basename

*.name has 5 possible prefixes: exec.file exit.file process.ancestors.file process.file process.parent.file

Example:

exec.file.name == "cmd.bat"

Matches the execution of any file named cmd.bat.

*.name

Type: string

Definition: File’s basename

*.name has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.name == "cmd.bat"

Matches the creation of any file named cmd.bat.

*.path

Type: string

Definition: File’s path

*.path has 5 possible prefixes: exec.file exit.file process.ancestors.file process.file process.parent.file

Example:

exec.file.path == "c:\cmd.bat"

Matches the execution of the file located at c:\cmd.bat

*.path

Type: string

Definition: File’s path

*.path has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.path == "c:\cmd.bat"

Matches the creation of the file located at c:\cmd.bat

*.pid

Type: int

Definition: Process ID of the process (also called thread group ID)

*.pid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.ppid

Type: int

Definition: Parent process ID

*.ppid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.registry.value_name

Type: string

Definition: Registry’s value name

*.registry.value_name has 2 possible prefixes: set set_key_value

*.user

Type: string

Definition: User name

*.user has 5 possible prefixes: exec exit process process.ancestors process.parent

*.user_sid

Type: string

Definition: Sid of the user of the process

*.user_sid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.value_name

Type: string

Definition: Registry’s value name

*.value_name has 2 possible prefixes: set set_key_value

change_permission.new_sd

Type: string

Definition: New Security Descriptor of the object of which permission was changed

change_permission.old_sd

Type: string

Definition: Original Security Descriptor of the object of which permission was changed

change_permission.path

Type: string

Definition: Name of the object of which permission was changed

change_permission.type

Type: string

Definition: Type of the object of which permission was changed

change_permission.user_domain

Type: string

Definition: Domain name of the permission change author

change_permission.username

Type: string

Definition: Username of the permission change author

container.created_at

Type: int

Definition: Timestamp of the creation of the container

container.id

Type: string

Definition: ID of the container

container.runtime

Type: string

Definition: Runtime managing the container

container.tags

Type: string

Definition: Tags of the container

event.hostname

Type: string

Definition: Hostname associated with the event

event.origin

Type: string

Definition: Origin of the event

event.os

Type: string

Definition: Operating system of the event

event.service

Type: string

Definition: Service associated with the event

event.timestamp

Type: int

Definition: Timestamp of the event

exit.cause

Type: int

Definition: Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)

exit.code

Type: int

Definition: Exit code of the process or number of the signal that caused the process to terminate

Constants

Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.

Boolean constants

Boolean constants are the supported boolean constants.

DNS qclasses

DNS qclasses are the supported DNS query classes.

DNS qtypes

DNS qtypes are the supported DNS query types.

L3 protocols

L3 protocols are the supported Layer 3 protocols.

L4 protocols

L4 protocols are the supported Layer 4 protocols.

お役に立つドキュメント、リンクや記事:

Get started with Datadog CSM ThreatsDOCUMENTATION