Windows Agent attributes and helpers

This documentation describes Windows attributes and helpers of the Datadog’s Security Language (SECL).

Rules using Windows attributes and helpers must include an OS rule filter field as follows.

id: [...]
expression: [...]
filters:
  - os == "windows"

Triggers

Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

SECL EventTypeDefinitionAgent Version
change_permissionRegistryA permission change was made7.55
createFileA file was created7.52
create_keyRegistryA registry key was created7.52
deleteFileA file was deleted7.54
delete_keyRegistryA registry key was deleted7.52
execProcessA process was executed or forked7.27
exitProcessA process was terminated7.38
open_keyRegistryA registry key was opened7.52
renameFileA file was renamed7.54
set_key_valueRegistryA registry key value was set7.52
writeFileA file was written7.54

Variables

SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a process.pid variable looks like this:

open.file.path == "/proc/${process.pid}/maps"

List of the available variables:

SECL VariableDefinitionAgent Version
process.pidProcess PID7.33

Event attributes

Common to all event types

PropertyDefinition
container.created_atTimestamp of the creation of the container
container.idID of the container
container.runtimeRuntime managing the container
container.tagsTags of the container
event.hostnameHostname associated with the event
event.originOrigin of the event
event.osOperating system of the event
event.serviceService associated with the event
event.timestampTimestamp of the event
process.ancestors.cmdlineCommand line of the process
process.ancestors.container.idContainer ID
process.ancestors.created_atTimestamp of the creation of the process
process.ancestors.envpEnvironment variables of the process
process.ancestors.envsEnvironment variable names of the process
process.ancestors.file.nameFile’s basename
process.ancestors.file.name.lengthLength of the corresponding string
process.ancestors.file.pathFile’s path
process.ancestors.file.path.lengthLength of the corresponding string
process.ancestors.pidProcess ID of the process (also called thread group ID)
process.ancestors.ppidParent process ID
process.ancestors.userUser name
process.ancestors.user_sidSid of the user of the process
process.cmdlineCommand line of the process
process.container.idContainer ID
process.created_atTimestamp of the creation of the process
process.envpEnvironment variables of the process
process.envsEnvironment variable names of the process
process.file.nameFile’s basename
process.file.name.lengthLength of the corresponding string
process.file.pathFile’s path
process.file.path.lengthLength of the corresponding string
process.parent.cmdlineCommand line of the process
process.parent.container.idContainer ID
process.parent.created_atTimestamp of the creation of the process
process.parent.envpEnvironment variables of the process
process.parent.envsEnvironment variable names of the process
process.parent.file.nameFile’s basename
process.parent.file.name.lengthLength of the corresponding string
process.parent.file.pathFile’s path
process.parent.file.path.lengthLength of the corresponding string
process.parent.pidProcess ID of the process (also called thread group ID)
process.parent.ppidParent process ID
process.parent.userUser name
process.parent.user_sidSid of the user of the process
process.pidProcess ID of the process (also called thread group ID)
process.ppidParent process ID
process.userUser name
process.user_sidSid of the user of the process

Event change_permission

A permission change was made

PropertyDefinition
change_permission.new_sdNew Security Descriptor of the object of which permission was changed
change_permission.old_sdOriginal Security Descriptor of the object of which permission was changed
change_permission.pathName of the object of which permission was changed
change_permission.typeType of the object of which permission was changed
change_permission.user_domainDomain name of the permission change author
change_permission.usernameUsername of the permission change author

Event create

A file was created

PropertyDefinition
create.file.device_pathFile’s path
create.file.device_path.lengthLength of the corresponding string
create.file.nameFile’s basename
create.file.name.lengthLength of the corresponding string
create.file.pathFile’s path
create.file.path.lengthLength of the corresponding string

Event create_key

A registry key was created

PropertyDefinition
create.registry.key_nameRegistry’s name
create.registry.key_name.lengthLength of the corresponding string
create.registry.key_pathRegistry’s path
create.registry.key_path.lengthLength of the corresponding string
create_key.registry.key_nameRegistry’s name
create_key.registry.key_name.lengthLength of the corresponding string
create_key.registry.key_pathRegistry’s path
create_key.registry.key_path.lengthLength of the corresponding string

Event delete

A file was deleted

PropertyDefinition
delete.file.device_pathFile’s path
delete.file.device_path.lengthLength of the corresponding string
delete.file.nameFile’s basename
delete.file.name.lengthLength of the corresponding string
delete.file.pathFile’s path
delete.file.path.lengthLength of the corresponding string

Event delete_key

A registry key was deleted

PropertyDefinition
delete.registry.key_nameRegistry’s name
delete.registry.key_name.lengthLength of the corresponding string
delete.registry.key_pathRegistry’s path
delete.registry.key_path.lengthLength of the corresponding string
delete_key.registry.key_nameRegistry’s name
delete_key.registry.key_name.lengthLength of the corresponding string
delete_key.registry.key_pathRegistry’s path
delete_key.registry.key_path.lengthLength of the corresponding string

Event exec

A process was executed or forked

PropertyDefinition
exec.cmdlineCommand line of the process
exec.container.idContainer ID
exec.created_atTimestamp of the creation of the process
exec.envpEnvironment variables of the process
exec.envsEnvironment variable names of the process
exec.file.nameFile’s basename
exec.file.name.lengthLength of the corresponding string
exec.file.pathFile’s path
exec.file.path.lengthLength of the corresponding string
exec.pidProcess ID of the process (also called thread group ID)
exec.ppidParent process ID
exec.userUser name
exec.user_sidSid of the user of the process

Event exit

A process was terminated

PropertyDefinition
exit.causeCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
exit.cmdlineCommand line of the process
exit.codeExit code of the process or number of the signal that caused the process to terminate
exit.container.idContainer ID
exit.created_atTimestamp of the creation of the process
exit.envpEnvironment variables of the process
exit.envsEnvironment variable names of the process
exit.file.nameFile’s basename
exit.file.name.lengthLength of the corresponding string
exit.file.pathFile’s path
exit.file.path.lengthLength of the corresponding string
exit.pidProcess ID of the process (also called thread group ID)
exit.ppidParent process ID
exit.userUser name
exit.user_sidSid of the user of the process

Event open_key

A registry key was opened

PropertyDefinition
open.registry.key_nameRegistry’s name
open.registry.key_name.lengthLength of the corresponding string
open.registry.key_pathRegistry’s path
open.registry.key_path.lengthLength of the corresponding string
open_key.registry.key_nameRegistry’s name
open_key.registry.key_name.lengthLength of the corresponding string
open_key.registry.key_pathRegistry’s path
open_key.registry.key_path.lengthLength of the corresponding string

Event rename

A file was renamed

PropertyDefinition
rename.file.destination.device_pathFile’s path
rename.file.destination.device_path.lengthLength of the corresponding string
rename.file.destination.nameFile’s basename
rename.file.destination.name.lengthLength of the corresponding string
rename.file.destination.pathFile’s path
rename.file.destination.path.lengthLength of the corresponding string
rename.file.device_pathFile’s path
rename.file.device_path.lengthLength of the corresponding string
rename.file.nameFile’s basename
rename.file.name.lengthLength of the corresponding string
rename.file.pathFile’s path
rename.file.path.lengthLength of the corresponding string

Event set_key_value

A registry key value was set

PropertyDefinition
set.registry.key_nameRegistry’s name
set.registry.key_name.lengthLength of the corresponding string
set.registry.key_pathRegistry’s path
set.registry.key_path.lengthLength of the corresponding string
set.registry.value_nameRegistry’s value name
set.registry.value_name.lengthLength of the corresponding string
set.value_nameRegistry’s value name
set_key_value.registry.key_nameRegistry’s name
set_key_value.registry.key_name.lengthLength of the corresponding string
set_key_value.registry.key_pathRegistry’s path
set_key_value.registry.key_path.lengthLength of the corresponding string
set_key_value.registry.value_nameRegistry’s value name
set_key_value.registry.value_name.lengthLength of the corresponding string
set_key_value.value_nameRegistry’s value name

Event write

A file was written

PropertyDefinition
write.file.device_pathFile’s path
write.file.device_path.lengthLength of the corresponding string
write.file.nameFile’s basename
write.file.name.lengthLength of the corresponding string
write.file.pathFile’s path
write.file.path.lengthLength of the corresponding string

Attributes documentation

*.cmdline

Type: string

Definition: Command line of the process

*.cmdline has 5 possible prefixes: exec exit process process.ancestors process.parent

Example:

exec.cmdline == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"

Matches any process with these exact arguments.

Example:

exec.cmdline =~ "* -F * http*"

Matches any process that has the “-F” argument anywhere before an argument starting with “http”.

*.container.id

Type: string

Definition: Container ID

*.container.id has 5 possible prefixes: exec exit process process.ancestors process.parent

*.created_at

Type: int

Definition: Timestamp of the creation of the process

*.created_at has 5 possible prefixes: exec exit process process.ancestors process.parent

*.device_path

Type: string

Definition: File’s path

*.device_path has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.device_path == "\device\harddisk1\cmd.bat"

Matches the creation of the file located at c:\cmd.bat

*.envp

Type: string

Definition: Environment variables of the process

*.envp has 5 possible prefixes: exec exit process process.ancestors process.parent

*.envs

Type: string

Definition: Environment variable names of the process

*.envs has 5 possible prefixes: exec exit process process.ancestors process.parent

*.key_name

Type: string

Definition: Registry’s name

*.key_name has 8 possible prefixes: create.registry create_key.registry delete.registry delete_key.registry open.registry open_key.registry set.registry set_key_value.registry

*.key_path

Type: string

Definition: Registry’s path

*.key_path has 8 possible prefixes: create.registry create_key.registry delete.registry delete_key.registry open.registry open_key.registry set.registry set_key_value.registry

*.length

Type: int

Definition: Length of the corresponding string

*.length has 43 possible prefixes: create.file.device_path create.file.name create.file.path create.registry.key_name create.registry.key_path create_key.registry.key_name create_key.registry.key_path delete.file.device_path delete.file.name delete.file.path delete.registry.key_name delete.registry.key_path delete_key.registry.key_name delete_key.registry.key_path exec.file.name exec.file.path exit.file.name exit.file.path open.registry.key_name open.registry.key_path open_key.registry.key_name open_key.registry.key_path process.ancestors.file.name process.ancestors.file.path process.file.name process.file.path process.parent.file.name process.parent.file.path rename.file.destination.device_path rename.file.destination.name rename.file.destination.path rename.file.device_path rename.file.name rename.file.path set.registry.key_name set.registry.key_path set.registry.value_name set_key_value.registry.key_name set_key_value.registry.key_path set_key_value.registry.value_name write.file.device_path write.file.name write.file.path

*.name

Type: string

Definition: File’s basename

*.name has 5 possible prefixes: exec.file exit.file process.ancestors.file process.file process.parent.file

Example:

exec.file.name == "cmd.bat"

Matches the execution of any file named cmd.bat.

*.name

Type: string

Definition: File’s basename

*.name has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.name == "cmd.bat"

Matches the creation of any file named cmd.bat.

*.path

Type: string

Definition: File’s path

*.path has 5 possible prefixes: exec.file exit.file process.ancestors.file process.file process.parent.file

Example:

exec.file.path == "c:\cmd.bat"

Matches the execution of the file located at c:\cmd.bat

*.path

Type: string

Definition: File’s path

*.path has 5 possible prefixes: create.file delete.file rename.file rename.file.destination write.file

Example:

create.file.path == "c:\cmd.bat"

Matches the creation of the file located at c:\cmd.bat

*.pid

Type: int

Definition: Process ID of the process (also called thread group ID)

*.pid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.ppid

Type: int

Definition: Parent process ID

*.ppid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.registry.value_name

Type: string

Definition: Registry’s value name

*.registry.value_name has 2 possible prefixes: set set_key_value

*.user

Type: string

Definition: User name

*.user has 5 possible prefixes: exec exit process process.ancestors process.parent

*.user_sid

Type: string

Definition: Sid of the user of the process

*.user_sid has 5 possible prefixes: exec exit process process.ancestors process.parent

*.value_name

Type: string

Definition: Registry’s value name

*.value_name has 2 possible prefixes: set set_key_value

change_permission.new_sd

Type: string

Definition: New Security Descriptor of the object of which permission was changed

change_permission.old_sd

Type: string

Definition: Original Security Descriptor of the object of which permission was changed

change_permission.path

Type: string

Definition: Name of the object of which permission was changed

change_permission.type

Type: string

Definition: Type of the object of which permission was changed

change_permission.user_domain

Type: string

Definition: Domain name of the permission change author

change_permission.username

Type: string

Definition: Username of the permission change author

container.created_at

Type: int

Definition: Timestamp of the creation of the container

container.id

Type: string

Definition: ID of the container

container.runtime

Type: string

Definition: Runtime managing the container

container.tags

Type: string

Definition: Tags of the container

event.hostname

Type: string

Definition: Hostname associated with the event

event.origin

Type: string

Definition: Origin of the event

event.os

Type: string

Definition: Operating system of the event

event.service

Type: string

Definition: Service associated with the event

event.timestamp

Type: int

Definition: Timestamp of the event

exit.cause

Type: int

Definition: Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)

exit.code

Type: int

Definition: Exit code of the process or number of the signal that caused the process to terminate

Constants

Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.

Boolean constants

Boolean constants are the supported boolean constants.

NameArchitectures
trueall
falseall

DNS qclasses

DNS qclasses are the supported DNS query classes.

NameArchitectures
CLASS_INETall
CLASS_CSNETall
CLASS_CHAOSall
CLASS_HESIODall
CLASS_NONEall
CLASS_ANYall

DNS qtypes

DNS qtypes are the supported DNS query types.

NameArchitectures
Noneall
Aall
NSall
MDall
MFall
CNAMEall
SOAall
MBall
MGall
MRall
NULLall
PTRall
HINFOall
MINFOall
MXall
TXTall
RPall
AFSDBall
X25all
ISDNall
RTall
NSAPPTRall
SIGall
KEYall
PXall
GPOSall
AAAAall
LOCall
NXTall
EIDall
NIMLOCall
SRVall
ATMAall
NAPTRall
KXall
CERTall
DNAMEall
OPTall
APLall
DSall
SSHFPall
RRSIGall
NSECall
DNSKEYall
DHCIDall
NSEC3all
NSEC3PARAMall
TLSAall
SMIMEAall
HIPall
NINFOall
RKEYall
TALINKall
CDSall
CDNSKEYall
OPENPGPKEYall
CSYNCall
ZONEMDall
SVCBall
HTTPSall
SPFall
UINFOall
UIDall
GIDall
UNSPECall
NIDall
L32all
L64all
LPall
EUI48all
EUI64all
URIall
CAAall
AVCall
TKEYall
TSIGall
IXFRall
AXFRall
MAILBall
MAILAall
ANYall
TAall
DLVall
Reservedall

L3 protocols

L3 protocols are the supported Layer 3 protocols.

NameArchitectures
ETH_P_LOOPall
ETH_P_PUPall
ETH_P_PUPATall
ETH_P_TSNall
ETH_P_IPall
ETH_P_X25all
ETH_P_ARPall
ETH_P_BPQall
ETH_P_IEEEPUPall
ETH_P_IEEEPUPATall
ETH_P_BATMANall
ETH_P_DECall
ETH_P_DNADLall
ETH_P_DNARCall
ETH_P_DNARTall
ETH_P_LATall
ETH_P_DIAGall
ETH_P_CUSTall
ETH_P_SCAall
ETH_P_TEBall
ETH_P_RARPall
ETH_P_ATALKall
ETH_P_AARPall
ETH_P_8021_Qall
ETH_P_ERSPANall
ETH_P_IPXall
ETH_P_IPV6all
ETH_P_PAUSEall
ETH_P_SLOWall
ETH_P_WCCPall
ETH_P_MPLSUCall
ETH_P_MPLSMCall
ETH_P_ATMMPOAall
ETH_P_PPPDISCall
ETH_P_PPPSESall
ETH_P__LINK_CTLall
ETH_P_ATMFATEall
ETH_P_PAEall
ETH_P_AOEall
ETH_P_8021_ADall
ETH_P_802_EX1all
ETH_P_TIPCall
ETH_P_MACSECall
ETH_P_8021_AHall
ETH_P_MVRPall
ETH_P_1588all
ETH_P_NCSIall
ETH_P_PRPall
ETH_P_FCOEall
ETH_P_IBOEall
ETH_P_TDLSall
ETH_P_FIPall
ETH_P_80221all
ETH_P_HSRall
ETH_P_NSHall
ETH_P_LOOPBACKall
ETH_P_QINQ1all
ETH_P_QINQ2all
ETH_P_QINQ3all
ETH_P_EDSAall
ETH_P_IFEall
ETH_P_AFIUCVall
ETH_P_8023_MINall
ETH_P_IPV6_HOP_BY_HOPall
ETH_P_8023all
ETH_P_AX25all
ETH_P_ALLall
ETH_P_8022all
ETH_P_SNAPall
ETH_P_DDCMPall
ETH_P_WANPPPall
ETH_P_PPPMPall
ETH_P_LOCALTALKall
ETH_P_CANall
ETH_P_CANFDall
ETH_P_PPPTALKall
ETH_P_TR8022all
ETH_P_MOBITEXall
ETH_P_CONTROLall
ETH_P_IRDAall
ETH_P_ECONETall
ETH_P_HDLCall
ETH_P_ARCNETall
ETH_P_DSAall
ETH_P_TRAILERall
ETH_P_PHONETall
ETH_P_IEEE802154all
ETH_P_CAIFall
ETH_P_XDSAall
ETH_P_MAPall

L4 protocols

L4 protocols are the supported Layer 4 protocols.

NameArchitectures
IP_PROTO_IPall
IP_PROTO_ICMPall
IP_PROTO_IGMPall
IP_PROTO_IPIPall
IP_PROTO_TCPall
IP_PROTO_EGPall
IP_PROTO_IGPall
IP_PROTO_PUPall
IP_PROTO_UDPall
IP_PROTO_IDPall
IP_PROTO_TPall
IP_PROTO_DCCPall
IP_PROTO_IPV6all
IP_PROTO_RSVPall
IP_PROTO_GREall
IP_PROTO_ESPall
IP_PROTO_AHall
IP_PROTO_ICMPV6all
IP_PROTO_MTPall
IP_PROTO_BEETPHall
IP_PROTO_ENCAPall
IP_PROTO_PIMall
IP_PROTO_COMPall
IP_PROTO_SCTPall
IP_PROTO_UDPLITEall
IP_PROTO_MPLSall
IP_PROTO_RAWall

Additional helpful documentation, links, and articles:

PREVIEWING: may/unit-testing